Add Access-Control-Allow-Origin headers to static content served from our CDN.

bin/browserid

@@ -135,6 +135,15 @@ app.use(function(req, res, next) {
   next();
 });
 
+// add 'Access-Control-Allow-Origin' headers to static resources that will be served
+// from the CDN.  We explicitly allow resources served from public_url to access these.
+app.use(function(req, res, next) {
+  res.on('header', function() {
+    res.setHeader("Access-Control-Allow-Origin", config.get('public_url'));
+  });
+  next();
+});
+
 app.use(express.static(static_root));
 
 // open the databse

bin/router

@@ -20,7 +20,6 @@ logger = require('../lib/logging.js').logger,
 forward = require('../lib/http_forward').forward,
 shutdown = require('../lib/shutdown');
 
-
 var app = undefined;
 
 app = express.createServer();
@@ -78,9 +77,9 @@ if (statsd_config && statsd_config.enabled) {
 
 // Add Strict-Transport-Security headers if we're serving over SSL
 if (config.get('scheme') == 'https') {
-  app.use(function(req, resp, next) {
+  app.use(function(req, res, next) {
     // expires in 30 days, include subdomains like www
-    resp.setHeader("Strict-Transport-Security", "max-age=2592000; includeSubdomains");
+    res.setHeader("Strict-Transport-Security", "max-age=2592000; includeSubdomains");
     next();
     });
 }

lib/http_forward.js

@@ -47,7 +47,7 @@ exports.forward = function(dest, req, res, cb) {
     res.statusCode = pres.statusCode;
 
     // forward necessary headers
-    ['Content-Type', 'Content-Length', 'Set-Cookie', 'Vary', 'Cache-Control', 'ETag', 'X-Frame-Options', 'Location']
+    ['Content-Type', 'Content-Length', 'Set-Cookie', 'Vary', 'Cache-Control', 'ETag', 'X-Frame-Options', 'Location', 'Access-Control-Allow-Origin']
       .forEach(function (header) {
         if (pres.headers.hasOwnProperty(header.toLowerCase())) {
           res.setHeader(header, pres.headers[header.toLowerCase()]);