Bungie-net / api

Resources for the Bungie.net API
Other
1.22k stars 92 forks source link

Set access-control-allow-origin: * for all static assets #1850

Open bhollis opened 1 year ago

bhollis commented 1 year ago

I’ve noticed that some Bungie.net resources (e.g. manifest JSONs, images) often have the header access-control-allow-origin: https://www.bungie.net/ which prevents them from being loaded by DIM or other third-party sites. I believe this header is being set conditionally, and CloudFlare is caching one version and serving it to others. We have a workaround for the manifest (we retry with a “cache buster” query param, which isn’t great but it works), but for images we don’t. That wouldn’t be a problem normally but we’re trying to enable Cross-Origin-Embedder-Policy: require-corp which would expect all images to be CORS-enabled. Switching to unconditionally returning access-control-allow-origin: * for all static assets would be a big help.

AndreGrandberry commented 8 months ago

I'm having the same issue. I just submitted an issue myself. Have you found a solution. I'm building my app with NodeJs and React, so all of the workarounds I've heard about don't seem feasible for me. Plus I'm on a strict deadline to finish my project and this is holding me up.