Support proxying preview-assets to avoid CORS issues

Open on Drupal.org →

Created on 25 August 2025, 20 days ago

Problem

Loading assets from an external domain requires suiting CORS headers. We need either implement some proxy or make it easy on the frontend side to take care of CORS headers. E.g. allow origin with some wildcard-pattern like "*.example.com".

(The risk of allow CORS is rather low if it's only about assets, with that an attacker could basically re-use the assets like we do, to render components on a foreign site, but that's about it. The assets content is public anyway and there is no API that we need to allow, just loading assets.)

📌 Task

Status

Active

Version

3.0

Component

Code

Created by

🇦🇹Austria fago Vienna

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Comments & Activities

Issue created by @fago
Comment 5 days ago →
🇦🇹Austria fago Vienna
Thinking about this topic a 2nd time, the CORS route seems to be better. The proxy-setup is rather complicated and might confuse people much more than a few CORS-requests running in the browser.

For nuxt dev mode, I got CORS working immediately.
For nuxt dev mode the following addition to nuxt.config.ts did the trick (replace origin URL with your drupal base-url obviously):

vite: { server: { cors: { origin: ['http://xb-dev.ddev.site', 'https://xb-dev.ddev.site'], }, }, },
When running the regular nuxt server, a different configuration is going to be required.
However, a straight-forward configuration as following did not do the trick. Investigating.

nitro: { cors: { origin: ['http://xb-dev.ddev.site', 'https://xb-dev.ddev.site'], methods: ['GET'], }, },

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024