DEV: enable cors to all cdn get requests from workbox. (PR #10685)

To prevent opaque cache files, now all the CDN files will be requested in ‘cors’ mode if the cdn_cors_enabled global setting is enabled. Before enabling the setting, should enable the cors in the CDN server by adding the response header access-control-allow-origin: *.

GitHub

The title of this pull request changed from “DEV: enable cors to all external get requests from workbox.” to "DEV: enable cors to all cdn get requests from workbox.

I see we have a cacheVersion variable already in this file. Could we use that in the searchParams, so that it is easier to update in future?

What’s the plan for this global setting long-term? Will we remove it once the feature has been tested successfully across a few sites?

I don’t think we need this: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials

If you don’t need credentials, omit this header entirely (rather than setting its value to false).

I wonder if we should add HEAD here as well?

As above

If you don’t need credentials, omit this header entirely (rather than setting its value to false).

Also… why are we doing this in two places? Could we do it all in the middleware, rather in both rails and middleware?

I wonder if we could simplify this into an ApplicationController helper? So that we end up with something like

cdn_route :brotli_asset, :cdn_asset, :enter, :favicon, :service_worker_asset

And then cdn_route would be defined like

def cdn_route(*args)
  skip_before_action :block_cdn_requests, only: args
  before_action :add_cors_header, only: args
end