[bugfix] add mode: no-cors to fix CORS error when following GCS redirects

When the service worker re-fetches with redirect: 'follow', it follows the redirect to GCS, which doesn't have CORS headers. Adding mode: 'no-cors': - Allows cross-origin fetches without CORS headers - Returns opaque response (works fine for images/videos/audio) - Prevents CORS error when loading from GCS
2026-04-30 03:01:54 +00:00 · 2025-10-24 22:45:17 -07:00
parent d621102d68
commit 71b55678da
1 changed files with 8 additions and 7 deletions
--- a/public/auth-sw.js
+++ b/public/auth-sw.js
@@ -70,16 +70,17 @@ self.addEventListener('fetch', (event) => {
        // Handle redirects to external storage (e.g., GCS signed URLs)
        if (response.type === 'opaqueredirect') {
          // Opaqueredirect: redirect occurred but response is opaque (headers not accessible)
-          // Re-fetch the original /api/view URL with redirect: 'follow'
+          // Re-fetch the original /api/view URL with redirect: 'follow' and mode: 'no-cors'
-          // Browser will:
+          // - mode: 'no-cors' allows cross-origin fetches without CORS headers (GCS doesn't have CORS)
-          // 1. Send auth headers to /api/view (same-origin)
+          // - Returns opaque response, which works fine for images/videos/audio
-          // 2. Receive 302 redirect to GCS
+          // - Browser will send auth headers to /api/view (same-origin)
-          // 3. Automatically strip auth headers when following cross-origin redirect
+          // - Browser will receive 302 redirect to GCS
-          // 4. Use GCS signed URL authentication instead
+          // - Browser will follow redirect using GCS signed URL authentication
          return fetch(event.request.url, {
            method: 'GET',
            headers: headers,
-            redirect: 'follow'
+            redirect: 'follow',
            mode: 'no-cors'
          })
        }