fun · margin.at/margin@b8eaeba

margin.at / margin

fork atom

Margin is an open annotation layer for the internet. Powered by the AT Protocol. margin.at

extension web atproto comments

fork atom

fun

scanash.com 3 weeks ago b8eaebaa 3bcf3cc5

+40 -2

2 changed files

expand all

backend

cmd

server

main.go

web

src

middleware.ts

+20 -1

backend/cmd/server/main.go

··· 6 "net/http" 7 "os" 8 "os/signal" 9 "syscall" 10 "time" 11 ··· 62 r.Use(middleware.Throttle(100)) 63 64 r.Use(cors.Handler(cors.Options{ 65 - AllowedOrigins: []string{"https://*", "http://*", "chrome-extension://*"}, 66 AllowedMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"}, 67 AllowedHeaders: []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token", "X-Session-Token"}, 68 ExposedHeaders: []string{"Link"},

··· 6 "net/http" 7 "os" 8 "os/signal" 9 + "strings" 10 "syscall" 11 "time" 12 ··· 63 r.Use(middleware.Throttle(100)) 64 65 r.Use(cors.Handler(cors.Options{ 66 + AllowOriginFunc: func(r *http.Request, origin string) bool { 67 + if strings.HasPrefix(origin, "chrome-extension://") || 68 + strings.HasPrefix(origin, "moz-extension://") || 69 + strings.HasPrefix(origin, "safari-web-extension://") { 70 + return true 71 + } 72 + allowedOrigins := []string{ 73 + "https://margin.at", 74 + "https://www.margin.at", 75 + "http://localhost:4321", 76 + "http://localhost:8081", 77 + } 78 + for _, allowed := range allowedOrigins { 79 + if origin == allowed { 80 + return true 81 + } 82 + } 83 + return false 84 + }, 85 AllowedMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"}, 86 AllowedHeaders: []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token", "X-Session-Token"}, 87 ExposedHeaders: []string{"Link"},

+20 -1

web/src/middleware.ts

··· 41 42 try { 43 const res = await fetch(target.toString(), init); 44 return new Response(res.body, { 45 status: res.status, 46 statusText: res.statusText, 47 - headers: res.headers, 48 }); 49 } catch { 50 return new Response("Backend unavailable", { status: 502 });

··· 41 42 try { 43 const res = await fetch(target.toString(), init); 44 + const responseHeaders = new Headers(res.headers); 45 + 46 + const origin = request.headers.get("origin"); 47 + if (origin && ( 48 + origin.startsWith("chrome-extension://") || 49 + origin.startsWith("moz-extension://") || 50 + origin.startsWith("safari-web-extension://") 51 + )) { 52 + responseHeaders.set("Access-Control-Allow-Origin", origin); 53 + responseHeaders.set("Access-Control-Allow-Credentials", "true"); 54 + responseHeaders.set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS"); 55 + responseHeaders.set("Access-Control-Allow-Headers", "Accept, Authorization, Content-Type, X-CSRF-Token, X-Session-Token"); 56 + responseHeaders.set("Access-Control-Expose-Headers", "Link"); 57 + } 58 + 59 + if (request.method === "OPTIONS" && origin) { 60 + return new Response(null, { status: 204, headers: responseHeaders }); 61 + } 62 + 63 return new Response(res.body, { 64 status: res.status, 65 statusText: res.statusText, 66 + headers: responseHeaders, 67 }); 68 } catch { 69 return new Response("Backend unavailable", { status: 502 });