From e53993207077aecd2c01712519251993bb2562bc Mon Sep 17 00:00:00 2001
From: KernelDeimos <eric.alex.dube@gmail.com>
Date: Thu, 18 Jul 2024 14:22:30 -0400
Subject: [PATCH] feat: add cross_origin_isolation option

---
 src/backend/src/services/WebServerService.js | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/backend/src/services/WebServerService.js b/src/backend/src/services/WebServerService.js
index 187f4956d..633fd2972 100644
--- a/src/backend/src/services/WebServerService.js
+++ b/src/backend/src/services/WebServerService.js
@@ -360,6 +360,8 @@ class WebServerService extends BaseService {
 
         app.use(function (req, res, next) {
             const origin = req.headers.origin;
+            
+            const is_site = req.hostname.endsWith(config.static_hosting_domain);
 
             if ( req.path === '/signup' || req.path === '/login' ) {
                 res.setHeader('Access-Control-Allow-Origin', origin ?? '*');
@@ -386,9 +388,14 @@ class WebServerService extends BaseService {
             // to the API (e.g. in case you use sessions)
             // res.setHeader('Access-Control-Allow-Credentials', true);
 
-            //needed for SharedArrayBuffer
-            // res.setHeader('Cross-Origin-Opener-Policy', 'same-origin');
-            // res.setHeader('Cross-Origin-Embedder-Policy', 'require-corp')
+            // Needed for SharedArrayBuffer
+            // NOTE: This is put behind a configuration flag because we
+            //       need some experimentation to ensure the interface
+            //       between apps and Puter doesn't break.
+            if ( config.cross_origin_isolation ) {
+                res.setHeader('Cross-Origin-Opener-Policy', 'same-origin');
+                res.setHeader('Cross-Origin-Embedder-Policy', 'require-corp');
+            }
             res.setHeader('Cross-Origin-Resource-Policy', 'cross-origin');
             // Pass to next layer of middleware