mirror of
https://github.com/discourse/discourse.git
synced 2024-12-23 01:56:28 +08:00
ecf7a4f0c6
We add `Access-Control-Allow-Origin: *` to all asset requests which are requested via a configured CDN. This is particularly important now that we're using browser-native `import()` to load the highlightjs bundle. Unfortunately, user-configurable 'cors_origins' site setting was overriding the wldcard value on CDN assets and causing CORS errors. This commit updates the logic to give the `*` value precedence, and adds a spec for the situation. It also invalidates the cache of hljs assets (because CDNs will have cached the bad Access-Control-Allow-Origin header). The rack-cors middleware is also slightly tweaked so that it is always inserted. This makes things easier to test and more consistent.
34 lines
1.0 KiB
Ruby
34 lines
1.0 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
RSpec.describe HighlightJsController do
|
|
it "works via the site URL" do
|
|
get HighlightJs.path
|
|
expect(response.status).to eq(200)
|
|
expect(response.body).to include("export default function")
|
|
expect(response.headers["Access-Control-Allow-Origin"]).to eq(nil)
|
|
end
|
|
|
|
it "works via a CDN" do
|
|
cdn = "https://original-app-cdn.example.com"
|
|
set_cdn_url cdn
|
|
|
|
get "#{cdn}#{HighlightJs.path}"
|
|
expect(response.status).to eq(200)
|
|
expect(response.body).to include("export default function")
|
|
expect(response.headers["Access-Control-Allow-Origin"]).to eq("*")
|
|
end
|
|
|
|
it "works via a CDN when site has cors configuration" do
|
|
cdn = "https://original-app-cdn.example.com"
|
|
set_cdn_url cdn
|
|
|
|
global_setting :enable_cors, true
|
|
SiteSetting.cors_origins = "https://example.com"
|
|
|
|
get "#{cdn}#{HighlightJs.path}"
|
|
expect(response.status).to eq(200)
|
|
expect(response.body).to include("export default function")
|
|
expect(response.headers["Access-Control-Allow-Origin"]).to eq("*")
|
|
end
|
|
end
|