diff --git a/changelog.md b/changelog.md index 2d15c84..f7fc751 100644 --- a/changelog.md +++ b/changelog.md @@ -1,5 +1,10 @@ # Changelog +## 2025-02-06 - 3.0.67 - fix(serviceworker) +Enhance header security for cached resources in service worker + +- Added Cross-Origin-Resource-Policy header management for service worker cached resources. + ## 2025-02-06 - 3.0.66 - fix(serviceworker) Improve error handling and logging in cache manager and update manager. diff --git a/ts/00_commitinfo_data.ts b/ts/00_commitinfo_data.ts index 34de8f4..fe3e945 100644 --- a/ts/00_commitinfo_data.ts +++ b/ts/00_commitinfo_data.ts @@ -3,6 +3,6 @@ */ export const commitinfo = { name: '@api.global/typedserver', - version: '3.0.66', + version: '3.0.67', description: 'A TypeScript-based project for easy serving of static files with support for live reloading, compression, and typed requests.' } diff --git a/ts_web_serviceworker/classes.cachemanager.ts b/ts_web_serviceworker/classes.cachemanager.ts index ee2b4b1..9cc1bcf 100644 --- a/ts_web_serviceworker/classes.cachemanager.ts +++ b/ts_web_serviceworker/classes.cachemanager.ts @@ -174,6 +174,16 @@ export class CacheManager { if (!headers.has('Access-Control-Allow-Headers')) { headers.set('Access-Control-Allow-Headers', 'Content-Type'); } + + // Set Cross-Origin-Resource-Policy + if (matchRequest.url.startsWith(this.losslessServiceWorkerRef.serviceWindowRef.location.origin)) { + // For same-origin resources + headers.set('Cross-Origin-Resource-Policy', 'same-origin'); + } else { + // For cross-origin resources that we explicitly allow + headers.set('Cross-Origin-Resource-Policy', 'cross-origin'); + } + // Prevent browser caching while allowing ServiceWorker caching. headers.set('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate'); headers.set('Pragma', 'no-cache');