mirrors/ladybird
0
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-07-28 19:59:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

LibWeb: Allow CORS requests from opaque origins to resource:// URLs

Browse source 
JavaScript module requests (in a non-worker context) always have CORS
enabled. However, CORS requests are only allowed for same-origin or
HTTP/S requests. This patch extends this to allow resource:// requests
from opaque origins (e.g. about: URLs).

We must also set the Access-Control-Allow-Origin header to "null" to
ensure that the response is accepted by the CORS checks. This does not
affect requesting resource:// URLs from resource:// URLs as those are
same-origin and skip CORS checks.

This ultimately enables requesting resource:// JS modules from the
about:settings page.
This commit is contained in:
Timothy Flynn 2025-04-23 11:14:15 -04:00 committed by Tim Flynn
commit 6539c72e7e
Notes: github-actions[bot] 2025-04-24 00:00:07 +00:00
2 changed files with 6 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

1
Libraries/LibWeb/Loader/ResourceLoader.cpp
View file

@ -142,6 +142,7 @@ static HTTP::HeaderMap response_headers_for_file(StringView path, Optional<time_
auto mime_type = Core::guess_mime_type_based_on_filename(path);
HTTP::HeaderMap response_headers;
response_headers.set("Access-Control-Allow-Origin"sv, "null"sv);
response_headers.set("Content-Type"sv, mime_type);
if (modified_time.has_value()) {