Chore: Add API CORS policy to HTML preview routes (#434)

2025-08-15 20:13:16 +02:00 · 2025-02-02 15:57:40 +13:00
parent 86b5524217
commit 496bf17db7
1 changed files with 14 additions and 3 deletions
--- a/server/server.go
+++ b/server/server.go
@@ -11,6 +11,7 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"regexp"
 	"strings"
 	"sync/atomic"
 	"text/template"
@@ -33,8 +34,13 @@ import (
 //go:embed ui
 var embeddedFS embed.FS

-// AccessControlAllowOrigin CORS policy
-var AccessControlAllowOrigin string
+var (
+	// AccessControlAllowOrigin CORS policy
+	AccessControlAllowOrigin string
+
+	// htmlPreviewRouteRe is a regexp to match the HTML preview route
+	htmlPreviewRouteRe *regexp.Regexp
+)

 // Listen will start the httpd
 func Listen() {
@@ -233,7 +239,12 @@ func middleWareFunc(fn http.HandlerFunc) http.HandlerFunc {

 		w.Header().Set("Content-Security-Policy", cspHeader)

-		if AccessControlAllowOrigin != "" && strings.HasPrefix(r.RequestURI, config.Webroot+"api/") {
+		if htmlPreviewRouteRe == nil {
+			htmlPreviewRouteRe = regexp.MustCompile(`^` + regexp.QuoteMeta(config.Webroot) + `view/[a-zA-Z0-9]+\.html$`)
+		}
+
+		if AccessControlAllowOrigin != "" &&
+			(strings.HasPrefix(r.RequestURI, config.Webroot+"api/") || htmlPreviewRouteRe.MatchString(r.RequestURI)) {
 			w.Header().Set("Access-Control-Allow-Origin", AccessControlAllowOrigin)
 			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE, PUT, OPTIONS")
 			w.Header().Set("Access-Control-Allow-Headers", "*")