From c67c8f0505691e032a72b999b6f0db2f0b49a68d Mon Sep 17 00:00:00 2001
From: chris48s <chris48s@users.noreply.github.com>
Date: Sun, 28 Jul 2024 09:22:24 +0100
Subject: [PATCH] send Cross-Origin-Resource-Policy header on all responses
 (#10420)

* send Cross-Origin-Resource-Policy header on all responses

* don't re-add Access-Control-Allow-Origin on json responses

this is re-adding a header we've already set earlier in the process

* update tests
---
 core/base-service/legacy-result-sender.js | 1 -
 core/server/server.js                     | 5 ++++-
 core/server/server.spec.js                | 2 ++
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/core/base-service/legacy-result-sender.js b/core/base-service/legacy-result-sender.js
index f3a3d12692..ba0629130b 100644
--- a/core/base-service/legacy-result-sender.js
+++ b/core/base-service/legacy-result-sender.js
@@ -17,7 +17,6 @@ function sendSVG(res, askres, end) {
 
 function sendJSON(res, askres, end) {
   askres.setHeader('Content-Type', 'application/json')
-  askres.setHeader('Access-Control-Allow-Origin', '*')
   askres.setHeader('Content-Length', Buffer.byteLength(res, 'utf8'))
   end(null, { template: streamFromString(res) })
 }
diff --git a/core/server/server.js b/core/server/server.js
index 65c8a52f75..f5621d9411 100644
--- a/core/server/server.js
+++ b/core/server/server.js
@@ -541,9 +541,12 @@ class Server {
       }
     }
 
-    // https://github.com/badges/shields/issues/3273
     camp.handle((req, res, next) => {
+      // https://github.com/badges/shields/issues/3273
       res.setHeader('Access-Control-Allow-Origin', '*')
+      // https://github.com/badges/shields/issues/10419
+      res.setHeader('Cross-Origin-Resource-Policy', 'cross-origin')
+
       next()
     })
 
diff --git a/core/server/server.spec.js b/core/server/server.spec.js
index 741b2e92da..5c014b820d 100644
--- a/core/server/server.spec.js
+++ b/core/server/server.spec.js
@@ -79,6 +79,7 @@ describe('The server', function () {
       )
       expect(statusCode).to.equal(200)
       expect(headers['access-control-allow-origin']).to.equal('*')
+      expect(headers['cross-origin-resource-policy']).to.equal('cross-origin')
     })
 
     it('should redirect colorscheme PNG badges as configured', async function () {
@@ -133,6 +134,7 @@ describe('The server', function () {
       expect(statusCode).to.equal(200)
       expect(headers['content-type']).to.equal('application/json')
       expect(headers['access-control-allow-origin']).to.equal('*')
+      expect(headers['cross-origin-resource-policy']).to.equal('cross-origin')
       expect(headers['content-length']).to.equal('92')
       expect(() => JSON.parse(body)).not.to.throw()
     })
-- 
GitLab