impress-2020/src/server/cors.js

const ALLOWED_CORS_ORIGINS = [
  "https://beta.impress.openneo.net",
  "https://impress.openneo.net",
  "http://localhost:3000",
];

export function applyCORSHeaders(req, res) {
  const origin = req.headers["origin"];
  if (ALLOWED_CORS_ORIGINS.includes(origin)) {
    res.setHeader("Access-Control-Allow-Origin", origin);
    res.setHeader("Access-Control-Allow-Methods", "*");
    res.setHeader("Access-Control-Allow-Headers", "*");
  }

  // Add "Origin" to the `Vary` header, so caches know that the incoming Origin
  // header can change the response (specifically, the CORS response headers).
  //
  // NOTE: In this app, I don't expect "Vary: *" to ever be set. But we try to
  // be robust about it, just in case! (Adding instead of overwriting *does*
  // matter for the GraphQL endpoint, which sets "Vary: Accept-Encoding".)
  const varyContent = res.getHeader("Vary");
  if (varyContent !== "*") {
    const varyValues = varyContent ? varyContent.split(/,\s*/) : [];
    varyValues.push("Origin");
    res.setHeader("Vary", varyValues.join(", "));
  }
}
Enable Classic DTI to access impress-2020 via CORS owo, uwu, 2023-08-20 15:40:21 -07:00			`const ALLOWED_CORS_ORIGINS = [`
			`"https://beta.impress.openneo.net",`
			`"https://impress.openneo.net",`
			`"http://localhost:3000",`
			`];`

			`export function applyCORSHeaders(req, res) {`
			`const origin = req.headers["origin"];`
			`if (ALLOWED_CORS_ORIGINS.includes(origin)) {`
			`res.setHeader("Access-Control-Allow-Origin", origin);`
			`res.setHeader("Access-Control-Allow-Methods", "*");`
			`res.setHeader("Access-Control-Allow-Headers", "*");`
			`}`
Fix Vary header for CORS Oops, we added behavior that varies the CORS response headers according to the incoming `Origin` header, but we forgot to add `Vary: Origin`! This doesn't cause an issue for the app when you make requests to the server directly, but since it's behind a Fastly cache layer, we ended up caching responses that didn't include CORS headers but should have. Now, this will instruct the Fastly cache to treat requests with different `Origin` headers as being entirely different. (This means we won't be sharing caches between requests from impress-2020 and the Rails app anymore, but that should be okay in practice!) 2023-10-12 14:58:26 -07:00
			// Add "Origin" to the `Vary` header, so caches know that the incoming Origin
			`// header can change the response (specifically, the CORS response headers).`
			`//`
			`// NOTE: In this app, I don't expect "Vary: *" to ever be set. But we try to`
			`// be robust about it, just in case! (Adding instead of overwriting does`
			`// matter for the GraphQL endpoint, which sets "Vary: Accept-Encoding".)`
			`const varyContent = res.getHeader("Vary");`
			`if (varyContent !== "*") {`
			`const varyValues = varyContent ? varyContent.split(/,\s*/) : [];`
			`varyValues.push("Origin");`
			`res.setHeader("Vary", varyValues.join(", "));`
			`}`
Enable Classic DTI to access impress-2020 via CORS owo, uwu, 2023-08-20 15:40:21 -07:00			`}`