From a69def5da793c20a13ec1e0fe7235636d31f2fd7 Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Thu, 19 Jul 2012 14:37:28 -0600
Subject: [PATCH] add access-control-allow-origin to all static resources
 (excluding views), to allow fonts to be requested cross domain.  fixes a
 regression introduced during the merge of router, for issue #1973

---
 bin/static                  | 12 ++++++++----
 lib/static/views.js         |  1 -
 tests/cache-header-tests.js | 16 ++++++++++++++--
 3 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/bin/static b/bin/static
index d9f389408..adbcdedd6 100755
--- a/bin/static
+++ b/bin/static
@@ -90,11 +90,15 @@ app.use(cachify.setup(assets(config.get('supported_languages')),
           root: static_root,
         }));
 
-
-// if nothing else has caught this request, serve static files, but ensure
-// that proper vary headers are installed to prevent unwanted caching
+// add 'Access-Control-Allow-Origin' headers to static resources that will be served
+// from the CDN.  We explicitly allow resources served from public_url to access these.
 app.use(function(req, res, next) {
-  res.setHeader('Vary', 'Accept-Encoding,Accept-Language');
+  res.on('header', function() {
+    // this allows fonts to be requested cross domain
+    res.setHeader("Access-Control-Allow-Origin", config.get('public_url'));
+    // this makes sure caches properly consider language headers
+    res.setHeader('Vary', 'Accept-Encoding,Accept-Language');
+  });
   next();
 });
 
diff --git a/lib/static/views.js b/lib/static/views.js
index 051337320..35cc99dca 100644
--- a/lib/static/views.js
+++ b/lib/static/views.js
@@ -107,7 +107,6 @@ exports.setup = function(app) {
   });
 
   app.get('/communication_iframe', function(req, res, next ) {
-
     renderCachableView(req, res, 'communication_iframe.ejs', {
       layout: false,
       production: config.get('use_minified_resources')
diff --git a/tests/cache-header-tests.js b/tests/cache-header-tests.js
index da97f1671..104ef5f5c 100755
--- a/tests/cache-header-tests.js
+++ b/tests/cache-header-tests.js
@@ -74,8 +74,6 @@ function hasProperCacheHeaders(path) {
       assert.strictEqual(r.statusCode, 200);
       // check X-Frame-Option headers
       hasProperFramingHeaders(r, path);
-      // ensure vary headers
-      assert.strictEqual(r.headers['vary'], 'Accept-Encoding,Accept-Language');
       // ensure public, max-age=0
       assert.strictEqual(r.headers['cache-control'], 'public, max-age=0');
       // the behavior of combining a last-modified date and an etag is undefined by
@@ -137,6 +135,20 @@ suite.addBatch({
 //  '/.well-known/browserid': hasProperCacheHeaders('/.well-known/browserid')
 });
 
+// related to cache headers are correct headers which let us serve static resources
+// (not rendered views) from a different domain, to support CDN compat
+suite.addBatch({
+  "static resources": {
+    topic: function() {
+      doRequest("/favicon.ico", {}, this.callback);
+    },
+    "have proper access control headers": function(err, r) {
+      assert.strictEqual(r.statusCode, 200);
+      assert.strictEqual(r.headers['access-control-allow-origin'],"http://127.0.0.1:10002");
+    }
+  }
+});
+
 // shut the server down and cleanup
 if (!process.env['SERVER_URL']) {
   start_stop.addShutdownBatches(suite);
-- 
GitLab