From a016ef1a2b7ca6c5d01ce1308de751b6be3ce2de Mon Sep 17 00:00:00 2001
From: Taras Kushnir <tk.dev@mailbox.org>
Date: Tue, 11 Nov 2025 09:55:32 +0200
Subject: [PATCH] Add crossorigin attribute to portal scripts. related
 PrivateCaptcha/issues#206

---
 pkg/common/middlewares.go                 | 3 +++
 web/build.go                              | 1 +
 web/layouts/_default/default-scripts.html | 6 +++---
 web/layouts/portal/scripts.html           | 2 +-
 web/layouts/property/scripts.html         | 4 ++--
 widget/build.go                           | 1 +
 6 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/pkg/common/middlewares.go b/pkg/common/middlewares.go
index 5d31fe16..33c54b72 100644
--- a/pkg/common/middlewares.go
+++ b/pkg/common/middlewares.go
@@ -35,6 +35,9 @@ var (
 		http.CanonicalHeaderKey("X-Frame-Options"):        []string{"DENY"},
 		http.CanonicalHeaderKey("X-Content-Type-Options"): []string{"nosniff"},
 	}
+	CorsAllowAllHeaders = map[string][]string{
+		HeaderAccessControlOrigin: []string{"*"},
+	}
 	HtmlContentHeaders = map[string][]string{
 		http.CanonicalHeaderKey(HeaderContentType): []string{ContentTypeHTML},
 	}
diff --git a/web/build.go b/web/build.go
index ba75777b..d299f3e5 100644
--- a/web/build.go
+++ b/web/build.go
@@ -37,6 +37,7 @@ func Static(gitHash string) http.HandlerFunc {
 
 		common.WriteHeaders(w, common.CachedHeaders)
 		common.WriteHeaders(w, common.SecurityHeaders)
+		common.WriteHeaders(w, common.CorsAllowAllHeaders)
 		common.WriteHeaders(w, etagHeaders)
 		srv.ServeHTTP(w, r)
 	}
diff --git a/web/layouts/_default/default-scripts.html b/web/layouts/_default/default-scripts.html
index cd051612..407ffb7a 100644
--- a/web/layouts/_default/default-scripts.html
+++ b/web/layouts/_default/default-scripts.html
@@ -1,6 +1,6 @@
-<script defer src="{{$.Ctx.CDN}}/portal/js/alpine.min.js"></script>
-<script defer src="{{$.Ctx.CDN}}/portal/js/htmx.min.js"></script>
-<script src="{{$.Ctx.CDN}}/portal/js/bundle.js"></script>
+<script defer src="{{$.Ctx.CDN}}/portal/js/alpine.min.js" crossorigin="anonymous"></script>
+<script defer src="{{$.Ctx.CDN}}/portal/js/htmx.min.js" crossorigin="anonymous"></script>
+<script src="{{$.Ctx.CDN}}/portal/js/bundle.js" crossorigin="anonymous"></script>
 {{ if $.Ctx.LoggedIn }}
 <script type="text/javascript">
 ErrorTracker.init({
diff --git a/web/layouts/portal/scripts.html b/web/layouts/portal/scripts.html
index 7bdb6d28..6521b7ed 100644
--- a/web/layouts/portal/scripts.html
+++ b/web/layouts/portal/scripts.html
@@ -1,4 +1,4 @@
 {{define "scripts"}}
-<script defer src="{{$.Ctx.CDN}}/portal/js/alpine.persist.min.js"></script>
+<script defer src="{{$.Ctx.CDN}}/portal/js/alpine.persist.min.js" crossorigin="anonymous"></script>
 {{template "default-scripts.html" .}}
 {{end}}
diff --git a/web/layouts/property/scripts.html b/web/layouts/property/scripts.html
index 1baf6d20..be97e74a 100644
--- a/web/layouts/property/scripts.html
+++ b/web/layouts/property/scripts.html
@@ -1,6 +1,6 @@
 {{define "scripts"}}
-<script defer src="{{$.Ctx.CDN}}/portal/js/d3.v7.min.js" type="text/javascript" charset="utf-8"></script>
-<script defer src="{{$.Ctx.CDN}}/widget/js/privatecaptcha.js" type="text/javascript" charset="utf-8"></script>
+<script defer src="{{$.Ctx.CDN}}/portal/js/d3.v7.min.js" type="text/javascript" charset="utf-8" crossorigin="anonymous"></script>
+<script defer src="{{$.Ctx.CDN}}/widget/js/privatecaptcha.js" type="text/javascript" charset="utf-8" crossorigin="anonymous"></script>
 {{template "default-scripts.html" .}}
 
 <script>
diff --git a/widget/build.go b/widget/build.go
index aaec18e4..7e30e6a1 100644
--- a/widget/build.go
+++ b/widget/build.go
@@ -30,6 +30,7 @@ func Static(gitHash string) http.HandlerFunc {
 		}
 
 		common.WriteHeaders(w, common.CachedHeaders)
+		common.WriteHeaders(w, common.CorsAllowAllHeaders)
 		common.WriteHeaders(w, etagHeaders)
 		srv.ServeHTTP(w, r)
 	}