Config: Allow CORS for additional file types when using a CDN #3931

Signed-off-by: Michael Mayer <michael@photoprism.app>

internal/server/static.go

@@ -12,7 +12,7 @@ import (
 // Static is a middleware that adds static content-related headers to the server's response.
 var Static = func(conf *config.Config) gin.HandlerFunc {
 	return func(c *gin.Context) {
-		// Allow CORS based on the configuration and automatically for eot, ttf, woff, woff2 and css files with a CDN.
+		// Allow CORS based on the configuration or otherwise automatically for certain file types when using a CDN.
 		// See: https://www.w3.org/TR/css-fonts-3/#font-fetching-requirements
 		if origin := conf.CORSOrigin(); origin != "" || header.AllowCORS(c.Request.URL.Path) && conf.UseCdn() {
 			if origin == "" {

pkg/header/cors.go

@@ -21,9 +21,22 @@ var (
 	CorsMethods                      = []string{http.MethodGet, http.MethodHead, http.MethodOptions}
 	DefaultAccessControlAllowMethods = strings.Join(CorsMethods, ", ")
 	DefaultAccessControlMaxAge       = "3600"
-	CorsExt                          = map[string]bool{".eot": true, ".ttf": true, ".woff": true, ".woff2": true, ".css": true}
 )
 
+// CorsExt contains all static asset extensions for which a CORS header may be added automatically.
+var CorsExt = map[string]bool{
+	".ttf":   true,
+	".ttc":   true,
+	".otf":   true,
+	".eot":   true,
+	".woff":  true,
+	".woff2": true,
+	".css":   true,
+	".js":    true, // Required for the MapLibre GL RTL text plugin.
+	".json":  true, // Required for static frontend configuration files.
+	".svg":   true, // Required for SVG icons that depend on additional styles or fonts.
+}
+
 // AllowCORS checks if CORS headers can be safely used based on a request's file path.
 // See: https://www.w3.org/TR/css-fonts-3/#font-fetching-requirements
 func AllowCORS(path string) bool {