Add CORS header to responses

I think adding Acess-Control-Allow-Origin: * to assets returned by kv-asset-handler would be totally fine, but should definitely be a SemVer major change. For static assets, I can’t think of any security issues doing this, but would encourage anyone with more info to correct me.

As others have mentioned, Workers are used for other things like APIs where you may very much want to restrict your CORS configuration, but for these use-cases you wouldn’t use kv-asset-handler to serve an asset, and would be manually controlling this anyway.

My concern with making this an optional configuration option would be for an ever-growing scope with headers: which headers do we decide should be first-party configuration options (security ones?), and which should be left to the user to maintain and configure? It’s pretty trivial to override headers set on the Response anyway, but this definitely adds a level of ambiguity.

As a comparison, Netlify seems to handle this with a _headers file: https://docs.netlify.com/routing/headers/. Something like this may make sense for Pages, but kv-asset-handler is definitely more code than config driven.

Hi Aaron, thanks for your input. I would love to hear why you think that CORS should be disabled by default. Do you have an example of static content that would be unsafe to attach the access-control-allow-origin header onto? You’re totally correct in saying that it’s easy to add yourself (that’s what I’ve done in the interim), but my thinking is that Workers Sites is very similar to GitHub Pages which do add that header by default.

For anyone else looking to add the header manually, in your workers-site/index.js, handleEvent function, you just need to grab the response from getAssetFromKV and inject the header:

const response = await getAssetFromKV(event);
response.headers.set("access-control-allow-origin", "*");
return response;