From 71b55678da9d304db6fd08a3294a0622ff466eee Mon Sep 17 00:00:00 2001 From: bymyself Date: Fri, 24 Oct 2025 22:45:17 -0700 Subject: [PATCH] [bugfix] add mode: no-cors to fix CORS error when following GCS redirects When the service worker re-fetches with redirect: 'follow', it follows the redirect to GCS, which doesn't have CORS headers. Adding mode: 'no-cors': - Allows cross-origin fetches without CORS headers - Returns opaque response (works fine for images/videos/audio) - Prevents CORS error when loading from GCS --- public/auth-sw.js | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/public/auth-sw.js b/public/auth-sw.js index 08405bf3f..2f21da21a 100644 --- a/public/auth-sw.js +++ b/public/auth-sw.js @@ -70,16 +70,17 @@ self.addEventListener('fetch', (event) => { // Handle redirects to external storage (e.g., GCS signed URLs) if (response.type === 'opaqueredirect') { // Opaqueredirect: redirect occurred but response is opaque (headers not accessible) - // Re-fetch the original /api/view URL with redirect: 'follow' - // Browser will: - // 1. Send auth headers to /api/view (same-origin) - // 2. Receive 302 redirect to GCS - // 3. Automatically strip auth headers when following cross-origin redirect - // 4. Use GCS signed URL authentication instead + // Re-fetch the original /api/view URL with redirect: 'follow' and mode: 'no-cors' + // - mode: 'no-cors' allows cross-origin fetches without CORS headers (GCS doesn't have CORS) + // - Returns opaque response, which works fine for images/videos/audio + // - Browser will send auth headers to /api/view (same-origin) + // - Browser will receive 302 redirect to GCS + // - Browser will follow redirect using GCS signed URL authentication return fetch(event.request.url, { method: 'GET', headers: headers, - redirect: 'follow' + redirect: 'follow', + mode: 'no-cors' }) }