From ba92de04f2a605b41fe4f9d3cf3118e8e27ef5d7 Mon Sep 17 00:00:00 2001
From: Chever John <cheverjonathan@gmail.com>
Date: Thu, 21 Aug 2025 17:17:01 +0800
Subject: [PATCH] fix(cors): proxy devv-app.js via server and reference
 same-origin to avoid CORS

---
 index.html          |  4 ++--
 server/src/index.ts | 17 +++++++++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/index.html b/index.html
index 18a46c7..e74ab44 100644
--- a/index.html
+++ b/index.html
@@ -9,8 +9,8 @@
   </head>
   <body>
     <div id="root"></div>
-    <!-- IMPORTANT: Never remove the following script reference, otherwise advanced features like element editing will not work -->
-    <script src="https://static.devv.ai/devv-app.js" type="module"></script>
+    <!-- IMPORTANT: Keep this script for advanced features; proxied via server to avoid CORS -->
+    <script src="/devv-app.js" type="module"></script>
     <script type="module" src="/src/main.tsx"></script>
   </body>
 </html>
diff --git a/server/src/index.ts b/server/src/index.ts
index fb1781e..4480259 100644
--- a/server/src/index.ts
+++ b/server/src/index.ts
@@ -61,6 +61,23 @@ app.get('/health', (_req, res) => {
   res.json({ ok: true });
 });
 
+// Proxy external devv-app.js to avoid browser CORS for module scripts
+app.get('/devv-app.js', async (_req, res) => {
+  try {
+    const response = await fetch('https://static.devv.ai/devv-app.js');
+    if (!response.ok) {
+      res.status(response.status).type('text/plain').send('');
+      return;
+    }
+    res.setHeader('Content-Type', 'application/javascript; charset=utf-8');
+    res.setHeader('Cache-Control', 'public, max-age=3600');
+    const bodyText = await response.text();
+    res.send(bodyText);
+  } catch (error) {
+    res.status(502).type('application/javascript').send('// proxy error');
+  }
+});
+
 type DbRow = {
   id: string;
   product_code: string | null;