fix(cors): proxy devv-app.js via server and reference same-origin to avoid CORS

2025-08-21 17:17:01 +08:00 · 2025-08-21 17:17:01 +08:00 · ba92de04f2
commit ba92de04f2
parent f6cab715e6
2 changed files with 19 additions and 2 deletions
--- a/index.html
+++ b/index.html
@ -9,8 +9,8 @@
  </head>
  <body>
    <div id="root"></div>
-    <!-- IMPORTANT: Never remove the following script reference, otherwise advanced features like element editing will not work -->
-    <script src="https://static.devv.ai/devv-app.js" type="module"></script>
+    <!-- IMPORTANT: Keep this script for advanced features; proxied via server to avoid CORS -->
+    <script src="/devv-app.js" type="module"></script>
    <script type="module" src="/src/main.tsx"></script>
  </body>
 </html>
--- a/server/src/index.ts
+++ b/server/src/index.ts
@ -61,6 +61,23 @@ app.get('/health', (_req, res) => {
  res.json({ ok: true });
 });

+// Proxy external devv-app.js to avoid browser CORS for module scripts
+app.get('/devv-app.js', async (_req, res) => {
+  try {
+    const response = await fetch('https://static.devv.ai/devv-app.js');
+    if (!response.ok) {
+      res.status(response.status).type('text/plain').send('');
+      return;
+    }
+    res.setHeader('Content-Type', 'application/javascript; charset=utf-8');
+    res.setHeader('Cache-Control', 'public, max-age=3600');
+    const bodyText = await response.text();
+    res.send(bodyText);
+  } catch (error) {
+    res.status(502).type('application/javascript').send('// proxy error');
+  }
+});
+
 type DbRow = {
  id: string;
  product_code: string | null;