julioc/maplibre-poc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Disable CORS and CSP restrictions for development

Browse Source
This commit is contained in:
Julio Cesar
2025-08-30 00:23:48 +02:00
parent 1ed644f1c0
commit 757044510c
1 changed files with 20 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
test-backend/app.ts
View File

@@ -22,7 +22,7 @@ function createApp(): Express {
// Restrict CORS to the predefined frontend URL // Restrict CORS to the predefined frontend URL
app.use( app.use(
cors({ cors({
origin: FRONTEND_URL, // origin: FRONTEND_URL,
}) })
) )
app.use(express.json()) app.use(express.json())
@@ -33,32 +33,32 @@ function createApp(): Express {
if (!origin) { if (!origin) {
return res.status(403).json({ error: "Missing Origin header" }) return res.status(403).json({ error: "Missing Origin header" })
} }
if (origin !== FRONTEND_URL) { // if (origin !== FRONTEND_URL) {
return res.status(403).json({ error: "Forbidden origin" }) // return res.status(403).json({ error: "Forbidden origin" })
} // }
next() next()
}) })
// Per-request CSP nonce and header. Also expose nonce via X-CSP-Nonce so the frontend // Per-request CSP nonce and header. Also expose nonce via X-CSP-Nonce so the frontend
// can apply it to inline scripts/styles when needed. // can apply it to inline scripts/styles when needed.
app.use((req, res, next) => { // app.use((req, res, next) => {
const nonce = randomBytes(16).toString("base64") // const nonce = randomBytes(16).toString("base64")
const csp = [ // const csp = [
`default-src 'self' ${FRONTEND_URL}`, // `default-src 'self' ${FRONTEND_URL}`,
`connect-src 'self' ${FRONTEND_URL}`, // `connect-src 'self' ${FRONTEND_URL}`,
`img-src 'self' data: ${FRONTEND_URL}`, // `img-src 'self' data: ${FRONTEND_URL}`,
`script-src 'self' 'nonce-${nonce}' ${FRONTEND_URL}`, // `script-src 'self' 'nonce-${nonce}' ${FRONTEND_URL}`,
`style-src 'self' 'nonce-${nonce}' ${FRONTEND_URL}`, // `style-src 'self' 'nonce-${nonce}' ${FRONTEND_URL}`,
].join("; ") // ].join("; ")
res.setHeader("Content-Security-Policy", csp) // res.setHeader("Content-Security-Policy", csp)
// Expose nonce so frontend templates can use it for inline scripts/styles // // Expose nonce so frontend templates can use it for inline scripts/styles
res.setHeader("X-CSP-Nonce", nonce) // res.setHeader("X-CSP-Nonce", nonce)
// Vary on Origin so caches consider the Origin header when caching responses // // Vary on Origin so caches consider the Origin header when caching responses
res.setHeader("Vary", "Origin") // res.setHeader("Vary", "Origin")
next() // next()
}) // })
return app return app
} }