From 95b3b509c700b84cd50672751a13a2e0612a6ff0 Mon Sep 17 00:00:00 2001 From: Christian Byrne Date: Fri, 24 Oct 2025 23:07:29 -0700 Subject: [PATCH] [bugfix] add mode: no-cors to fix CORS error when following GCS redirects (#6277) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes CORS error when service worker follows redirects to GCS by using mode: 'no-cors' to allow cross-origin fetches without CORS headers. ┆Issue is synchronized with this [Notion page](https://www.notion.so/PR-6277-bugfix-add-mode-no-cors-to-fix-CORS-error-when-following-GCS-redirects-2976d73d36508101a4cbd7b59106dfc3) by [Unito](https://www.unito.io) --- public/auth-sw.js | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/public/auth-sw.js b/public/auth-sw.js index 08405bf3f..2f21da21a 100644 --- a/public/auth-sw.js +++ b/public/auth-sw.js @@ -70,16 +70,17 @@ self.addEventListener('fetch', (event) => { // Handle redirects to external storage (e.g., GCS signed URLs) if (response.type === 'opaqueredirect') { // Opaqueredirect: redirect occurred but response is opaque (headers not accessible) - // Re-fetch the original /api/view URL with redirect: 'follow' - // Browser will: - // 1. Send auth headers to /api/view (same-origin) - // 2. Receive 302 redirect to GCS - // 3. Automatically strip auth headers when following cross-origin redirect - // 4. Use GCS signed URL authentication instead + // Re-fetch the original /api/view URL with redirect: 'follow' and mode: 'no-cors' + // - mode: 'no-cors' allows cross-origin fetches without CORS headers (GCS doesn't have CORS) + // - Returns opaque response, which works fine for images/videos/audio + // - Browser will send auth headers to /api/view (same-origin) + // - Browser will receive 302 redirect to GCS + // - Browser will follow redirect using GCS signed URL authentication return fetch(event.request.url, { method: 'GET', headers: headers, - redirect: 'follow' + redirect: 'follow', + mode: 'no-cors' }) }