send Cross-Origin-Resource-Policy header on all responses (#10420)

* send Cross-Origin-Resource-Policy header on all responses * don't re-add Access-Control-Allow-Origin on json responses this is re-adding a header we've already set earlier in the process * update tests
badges · Jul 28, 2024 · c67c8f0 · c67c8f0
1 parent 6f4ebba
commit c67c8f0
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 2 deletions.
diff --git a/core/base-service/legacy-result-sender.js b/core/base-service/legacy-result-sender.js
@@ -17,7 +17,6 @@ function sendSVG(res, askres, end) {
 
 function sendJSON(res, askres, end) {
   askres.setHeader('Content-Type', 'application/json')
-  askres.setHeader('Access-Control-Allow-Origin', '*')
   askres.setHeader('Content-Length', Buffer.byteLength(res, 'utf8'))
   end(null, { template: streamFromString(res) })
 }

diff --git a/core/server/server.js b/core/server/server.js
@@ -541,9 +541,12 @@ class Server {
       }
     }
 
-    // https://github.com/badges/shields/issues/3273
     camp.handle((req, res, next) => {
+      // https://github.com/badges/shields/issues/3273
       res.setHeader('Access-Control-Allow-Origin', '*')
+      // https://github.com/badges/shields/issues/10419
+      res.setHeader('Cross-Origin-Resource-Policy', 'cross-origin')
+
       next()
     })
 

diff --git a/core/server/server.spec.js b/core/server/server.spec.js
@@ -79,6 +79,7 @@ describe('The server', function () {
       )
       expect(statusCode).to.equal(200)
       expect(headers['access-control-allow-origin']).to.equal('*')
+      expect(headers['cross-origin-resource-policy']).to.equal('cross-origin')
     })
 
     it('should redirect colorscheme PNG badges as configured', async function () {
@@ -133,6 +134,7 @@ describe('The server', function () {
       expect(statusCode).to.equal(200)
       expect(headers['content-type']).to.equal('application/json')
       expect(headers['access-control-allow-origin']).to.equal('*')
+      expect(headers['cross-origin-resource-policy']).to.equal('cross-origin')
       expect(headers['content-length']).to.equal('92')
       expect(() => JSON.parse(body)).not.to.throw()
     })