fix(serviceworker): Enhance header security for cached resources in service worker

2025-02-06 21:13:53 +01:00
parent dd6babdf81
commit 3556594501
3 changed files with 16 additions and 1 deletions
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,10 @@
 # Changelog

+## 2025-02-06 - 3.0.67 - fix(serviceworker)
+Enhance header security for cached resources in service worker
+
+- Added Cross-Origin-Resource-Policy header management for service worker cached resources.
+
 ## 2025-02-06 - 3.0.66 - fix(serviceworker)
 Improve error handling and logging in cache manager and update manager.

--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@api.global/typedserver',
-  version: '3.0.66',
+  version: '3.0.67',
  description: 'A TypeScript-based project for easy serving of static files with support for live reloading, compression, and typed requests.'
 }
--- a/ts_web_serviceworker/classes.cachemanager.ts
+++ b/ts_web_serviceworker/classes.cachemanager.ts
@@ -174,6 +174,16 @@ export class CacheManager {
              if (!headers.has('Access-Control-Allow-Headers')) {
                headers.set('Access-Control-Allow-Headers', 'Content-Type');
              }
+              
+              // Set Cross-Origin-Resource-Policy
+              if (matchRequest.url.startsWith(this.losslessServiceWorkerRef.serviceWindowRef.location.origin)) {
+                // For same-origin resources
+                headers.set('Cross-Origin-Resource-Policy', 'same-origin');
+              } else {
+                // For cross-origin resources that we explicitly allow
+                headers.set('Cross-Origin-Resource-Policy', 'cross-origin');
+              }
+
              // Prevent browser caching while allowing ServiceWorker caching.
              headers.set('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
              headers.set('Pragma', 'no-cache');