From a3f80b60b0e4a92f5d206e5927b4613df2c2b690 Mon Sep 17 00:00:00 2001
From: yflory <yann.flory@xwiki.com>
Date: Wed, 17 Apr 2024 14:50:32 +0200
Subject: [PATCH] Fix loading resources using sandbox domain from outer #1472

---
 lib/http-worker.js | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lib/http-worker.js b/lib/http-worker.js
index c46d1b3f7..418198dec 100644
--- a/lib/http-worker.js
+++ b/lib/http-worker.js
@@ -161,6 +161,15 @@ var setHeaders = function (req, res) {
     }
 
     var h = getHeaders(Env, type);
+
+    // XXX Allow main domain to load resources from the sandbox URL
+    // We can restrict this to onlyoffice fonts if we find a security issue with this
+    if (!Env.enableEmbedding && req.get('origin') === Env.httpUnsafeOrigin) {
+        //if (/^\/common\/onlyoffice\/dist\/.*\/fonts\/.*/.test(req.url)) {
+        h['Access-Control-Allow-Origin'] = Env.httpUnsafeOrigin;
+        //}
+    }
+
     applyHeaderMap(res, h);
 };