julioc/maplibre-poc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: julioc:1ed644f1c04887eef77006b64ac09f04126f5b3b
Branches Tags
julioc:main
..
compare: julioc:main
Branches Tags
julioc:main

1 Commits
1ed644f1c0 ... main

Author SHA1 Message Date
Julio Cesar
757044510c Disable CORS and CSP restrictions for development 2025-08-30 00:23:48 +02:00
1 changed files with 20 additions and 20 deletions
Expand all files Collapse all files

40
test-backend/app.ts
View File

@@ -22,7 +22,7 @@ function createApp(): Express {
// Restrict CORS to the predefined frontend URL
app.use(
cors({
origin: FRONTEND_URL,
// origin: FRONTEND_URL,
})
)
app.use(express.json())
@@ -33,32 +33,32 @@ function createApp(): Express {
if (!origin) {
return res.status(403).json({ error: "Missing Origin header" })
}
if (origin !== FRONTEND_URL) {
return res.status(403).json({ error: "Forbidden origin" })
}
// if (origin !== FRONTEND_URL) {
// return res.status(403).json({ error: "Forbidden origin" })
// }
next()
})
// Per-request CSP nonce and header. Also expose nonce via X-CSP-Nonce so the frontend
// can apply it to inline scripts/styles when needed.
app.use((req, res, next) => {
const nonce = randomBytes(16).toString("base64")
// app.use((req, res, next) => {
// const nonce = randomBytes(16).toString("base64")
const csp = [
`default-src 'self' ${FRONTEND_URL}`,
`connect-src 'self' ${FRONTEND_URL}`,
`img-src 'self' data: ${FRONTEND_URL}`,
`script-src 'self' 'nonce-${nonce}' ${FRONTEND_URL}`,
`style-src 'self' 'nonce-${nonce}' ${FRONTEND_URL}`,
].join("; ")
// const csp = [
// `default-src 'self' ${FRONTEND_URL}`,
// `connect-src 'self' ${FRONTEND_URL}`,
// `img-src 'self' data: ${FRONTEND_URL}`,
// `script-src 'self' 'nonce-${nonce}' ${FRONTEND_URL}`,
// `style-src 'self' 'nonce-${nonce}' ${FRONTEND_URL}`,
// ].join("; ")
res.setHeader("Content-Security-Policy", csp)
// Expose nonce so frontend templates can use it for inline scripts/styles
res.setHeader("X-CSP-Nonce", nonce)
// Vary on Origin so caches consider the Origin header when caching responses
res.setHeader("Vary", "Origin")
next()
})
// res.setHeader("Content-Security-Policy", csp)
// // Expose nonce so frontend templates can use it for inline scripts/styles
// res.setHeader("X-CSP-Nonce", nonce)
// // Vary on Origin so caches consider the Origin header when caching responses
// res.setHeader("Vary", "Origin")
// next()
// })
return app
}