(READ ONLY) Margin is an open annotation layer for the internet. Powered by the AT Protocol. margin.at
extension web atproto comments
99
fork

Configure Feed

Select the types of activity you want to include in your feed.

this is annoying

scanash00 cb85af63 b8eaebaa

+33 -14
+33 -14
web/src/middleware.ts
··· 5 5 6 6 const PROXY_PATHS = ["/api/", "/auth/", "/client-metadata.json", "/jwks.json"]; 7 7 8 + const CORS_HEADERS = { 9 + "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS", 10 + "Access-Control-Allow-Headers": "Accept, Authorization, Content-Type, X-CSRF-Token, X-Session-Token", 11 + "Access-Control-Expose-Headers": "Link", 12 + "Access-Control-Allow-Credentials": "true", 13 + "Access-Control-Max-Age": "300", 14 + }; 15 + 16 + function isExtensionOrigin(origin: string | null): origin is string { 17 + if (!origin) return false; 18 + return ( 19 + origin.startsWith("chrome-extension://") || 20 + origin.startsWith("moz-extension://") || 21 + origin.startsWith("safari-web-extension://") 22 + ); 23 + } 24 + 8 25 export async function onRequest( 9 26 { request, url }: APIContext, 10 27 next: () => Promise<Response>, ··· 17 34 return next(); 18 35 } 19 36 37 + const origin = request.headers.get("origin"); 38 + 39 + if (request.method === "OPTIONS" && isExtensionOrigin(origin)) { 40 + return new Response(null, { 41 + status: 204, 42 + headers: { 43 + "Access-Control-Allow-Origin": origin, 44 + ...CORS_HEADERS, 45 + }, 46 + }); 47 + } 48 + 20 49 const target = new URL(url.pathname + url.search, API_URL); 21 50 22 51 const headers = new Headers(request.headers); ··· 43 72 const res = await fetch(target.toString(), init); 44 73 const responseHeaders = new Headers(res.headers); 45 74 46 - const origin = request.headers.get("origin"); 47 - if (origin && ( 48 - origin.startsWith("chrome-extension://") || 49 - origin.startsWith("moz-extension://") || 50 - origin.startsWith("safari-web-extension://") 51 - )) { 75 + if (isExtensionOrigin(origin)) { 52 76 responseHeaders.set("Access-Control-Allow-Origin", origin); 53 - responseHeaders.set("Access-Control-Allow-Credentials", "true"); 54 - responseHeaders.set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS"); 55 - responseHeaders.set("Access-Control-Allow-Headers", "Accept, Authorization, Content-Type, X-CSRF-Token, X-Session-Token"); 56 - responseHeaders.set("Access-Control-Expose-Headers", "Link"); 57 - } 58 - 59 - if (request.method === "OPTIONS" && origin) { 60 - return new Response(null, { status: 204, headers: responseHeaders }); 77 + for (const [key, value] of Object.entries(CORS_HEADERS)) { 78 + responseHeaders.set(key, value); 79 + } 61 80 } 62 81 63 82 return new Response(res.body, {