Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(next-export): CORS errors due to wrong crossorigin default value #58200

Open
wants to merge 1 commit into
base: canary
Choose a base branch
from
Open

fix(next-export): CORS errors due to wrong crossorigin default value #58200

wants to merge 1 commit into from
+6 −4

Conversation

ild0tt0re
Copy link

If corsOrigin is not specified in nextConfig it become false and in the following code

crossOrigin: nextConfig.crossOrigin || '',

It fallback to empty string '' , but this is wrong since the default value should be undefined otherwise we are forcing the client to use ALWAYS CORS for assets as you can see from the MDN Official crossorigin spec

some crossorigin values can be:

  • anonymous: Request uses CORS headers and credentials flag is set to 'same-origin'. There is no exchange of user credentials via cookies, client-side TLS certificates or HTTP authentication, unless destination is the same origin.
  • "": Setting the attribute name to an empty value, like crossorigin or crossorigin="", is the same as anonymous.

By default (that is, when the attribute is not specified), CORS is not used at all. The user agent will not ask for permission for full access to the resource and in the case of a cross-origin request, certain limitations will be applied based on the type of element concerned:

You can see the Current vs. Expected behavior in the issue

Fixes #57931

@ijjk ijjk added the type: next label Nov 8, 2023
@ild0tt0re ild0tt0re force-pushed the bugfix/cors-errors-static-assets branch 2 times, most recently from fd3a1d4 to 7a32b1d Compare November 8, 2023 17:11
@ild0tt0re ild0tt0re mentioned this pull request Nov 9, 2023
Open
1 task
@ild0tt0re ild0tt0re force-pushed the bugfix/cors-errors-static-assets branch from 7a32b1d to 175bbc3 Compare November 10, 2023 11:48
@ild0tt0re ild0tt0re mentioned this pull request Nov 29, 2023
Open
@kyun
Copy link

kyun commented Feb 21, 2024
edited
Loading

Is this still working on?

@stepan-twnty
Copy link

@ijjk can you approve it?

@dgattey
Copy link

dgattey commented Feb 22, 2024
edited
Loading

Any updates on this fix? This fixes a critical bug still present in Next 14.1 with CORS attributes being incorrectly required

@samithaf
Copy link

samithaf commented Mar 2, 2024

@leerob could you please review?

ijjk
ijjk reviewed Mar 5, 2024
View reviewed changes
Copy link
Member

@ijjk ijjk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, can we add a test case for this to prevent regressing?

@Xavier59
Copy link

Xavier59 commented Mar 6, 2024

Can we just merge it and add regression test later @ijjk ?
Everybody using CDN to serve content has been stuck on 13.5.2 for months.
Thanks

@konstk1
Copy link

konstk1 commented May 1, 2024

Is this abandoned? We are also having an issue with crossorigin scripts.

@samithaf
Copy link

samithaf commented May 3, 2024
edited
Loading

While it may not be a solution for everyone, we solved this issue by fronting the Next.js applications with a CDN and then route the static assets to a static storage (Azure Blobs but can be anything depend on which cloud provider you are using). Then we route dynamic paths to web compute tier via CDN.

Given static paths going to be relative now, you are not going to face any CORS issues anymore.

@willholmeswastaken
Copy link

Suffering from this issue myself too... hopefully we get some answers on this soon.

@akbortoli
Copy link

Is this abandoned? We are having to patch every version for it to work via CDN.

@Xavier59
Copy link

Hello @ijjk please review again for merge. Lot of people suffering from this issue and there is no update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ijjk ijjk ijjk left review comments

@timneutkens timneutkens Awaiting requested review from timneutkens

@shuding shuding Awaiting requested review from shuding

@huozhi huozhi Awaiting requested review from huozhi

@feedthejim feedthejim Awaiting requested review from feedthejim

@ztanner ztanner Awaiting requested review from ztanner

@wyattjoh wyattjoh Awaiting requested review from wyattjoh

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
type: next
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Crossorigin is added to scripts tags on static generated pages [next version > 13.5.2]
10 participants
@ild0tt0re @kyun @stepan-twnty @dgattey @samithaf @Xavier59 @konstk1 @willholmeswastaken @akbortoli @ijjk