Skip to content

Fix CORS on redirect responses and add Vary: Origin#62

Merged
dsherret merged 1 commit into
mainfrom
fix-cors-redirect-headers
Jun 27, 2026
Merged

Fix CORS on redirect responses and add Vary: Origin#62
dsherret merged 1 commit into
mainfrom
fix-cors-redirect-headers

Conversation

@dsherret

@dsherret dsherret commented Jun 27, 2026
edited
Loading

Copy link
Copy Markdown
Member

Problem

Cross-origin fetches from https://dprint.dev to schema/plugin URLs were failing with:

Access to fetch at '.../schema.json' from origin 'https://dprint.dev' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

A request for a non-wasm asset (e.g. schema.json, plugin.json) returns a 302 redirect to the /asset/... path so relative URLs resolve correctly. The final asset response set Access-Control-Allow-Origin, but the 302 from Response.redirect() did not. For CORS-mode requests the browser runs the CORS check on every response in the redirect chain, so the naked redirect was blocked before the final response was reached.

Fix

  • Add a createRedirectResponse(request, location) helper that builds the 302 with the Access-Control-Allow-Origin header (reusing the existing getAccessControlAllowOrigin, which already echoes localhost/127.0.0.1 origins for local dev). Both redirect sites now use it.
  • Add Vary: Origin to every response that emits the dynamic ACAO header (plugin, JSON, and redirect responses), so caches don't serve a response cached for one origin to another.

Tests

Extended the two existing redirect tests to assert the ACAO header is present. The only failing tests (info.json, cli.json) are pre-existing and require live GitHub credentials.

Closes #52

@dsherret
Fix CORS on redirect responses and add Vary: Origin
439da8f 
Cross-origin fetches run the CORS check on every response in a redirect
chain, so the 302 produced for non-wasm assets needs an
Access-Control-Allow-Origin header too — without it the redirect was
blocked before the final asset response (which did set the header) was
reached.

Also add `Vary: Origin` everywhere the header is emitted, since its
value varies by request origin (dprint.dev / localhost / 127.0.0.1).
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 27, 2026
edited
Loading

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 dprint-plugins 439da8f Commit Preview URL

Branch Preview URL		 Jun 27 2026, 07:06 PM

@dsherret dsherret added this pull request to the merge queue Jun 27, 2026
Merged via the queue into main with commit 77a4dd4 Jun 27, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CORS error when fetching schema JSON in playground

1 participant

@dsherret