next.js icon indicating copy to clipboard operation
next.js copied to clipboard
Published 1 month ago verified publisher icon vercel

fix(next-export): CORS errors due to wrong `crossorigin` default value

Open ild0tt0re opened this issue 2 years ago • 10 comments

If corsOrigin is not specified in nextConfig it become false and in the following code

crossOrigin: nextConfig.crossOrigin || '',

It fallback to empty string '' , but this is wrong since the default value should be undefined otherwise we are forcing the client to use ALWAYS CORS for assets as you can see from the MDN Official crossorigin spec

some crossorigin values can be:

  • anonymous: Request uses CORS headers and credentials flag is set to 'same-origin'. There is no exchange of user credentials via cookies, client-side TLS certificates or HTTP authentication, unless destination is the same origin.
  • "": Setting the attribute name to an empty value, like crossorigin or crossorigin="", is the same as anonymous.

By default (that is, when the attribute is not specified), CORS is not used at all. The user agent will not ask for permission for full access to the resource and in the case of a cross-origin request, certain limitations will be applied based on the type of element concerned:

You can see the Current vs. Expected behavior in the issue

Fixes #57931

ild0tt0re avatar Nov 08 '23 15:11 ild0tt0re

Is this still working on?

kyun avatar Feb 21 '24 01:02 kyun

@ijjk can you approve it?

stepan-twnty avatar Feb 21 '24 18:02 stepan-twnty

Any updates on this fix? This fixes a critical bug still present in Next 14.1 with CORS attributes being incorrectly required

dgattey avatar Feb 22 '24 07:02 dgattey

@leerob could you please review?

samithaf avatar Mar 02 '24 09:03 samithaf

Can we just merge it and add regression test later @ijjk ? Everybody using CDN to serve content has been stuck on 13.5.2 for months. Thanks

Xavier59 avatar Mar 06 '24 10:03 Xavier59

Is this abandoned? We are also having an issue with crossorigin scripts.

konstk1 avatar May 01 '24 17:05 konstk1

While it may not be a solution for everyone, we solved this issue by fronting the Next.js applications with a CDN and then route the static assets to a static storage (Azure Blobs but can be anything depend on which cloud provider you are using). Then we route dynamic paths to web compute tier via CDN.

Given static paths going to be relative now, you are not going to face any CORS issues anymore.

samithaf avatar May 03 '24 08:05 samithaf

Suffering from this issue myself too... hopefully we get some answers on this soon.

willholmeswastaken avatar May 20 '24 17:05 willholmeswastaken

Is this abandoned? We are having to patch every version for it to work via CDN.

akbortoli avatar May 23 '24 01:05 akbortoli

Hello @ijjk please review again for merge. Lot of people suffering from this issue and there is no update.

Xavier59 avatar Jun 27 '24 12:06 Xavier59