Hugging Face's logo

Spaces:
k-l-lambda
/
trigo
Sleeping

App Files Community
trigo / trigo-web /app /dist /coi-serviceworker.js
k-l-lambda's picture
k-l-lambda
fix: detect iframe requests in service worker and skip COOP headers
a5530bb
raw
history blame contribute delete
5.18 kB
/*! coi-serviceworker v0.1.7 - Guido Zuidhof and contributors, licensed under MIT */
let coepCredentialless = false;
if (typeof window === 'undefined') {
 self.addEventListener("install", () => self.skipWaiting());
 self.addEventListener("activate", (event) => event.waitUntil(self.clients.claim()));
self.addEventListener("message", (ev) => {
 if (!ev.data) {
 return;
 } else if (ev.data.type === "deregister") {
 self.registration
 .unregister()
 .then(() => {
 return self.clients.matchAll();
 })
 .then(clients => {
 clients.forEach((client) => client.navigate(client.url));
 });
 } else if (ev.data.type === "coepCredentialless") {
 coepCredentialless = ev.data.value;
 }
 });
self.addEventListener("fetch", function (event) {
 const r = event.request;
 if (r.cache === "only-if-cached" && r.mode !== "same-origin") {
 return;
 }
// Check if this is an iframe request - don't add COOP headers for iframes
 // This allows the page to be embedded in cross-origin iframes (e.g., HuggingFace Spaces)
 const secFetchDest = r.headers.get("Sec-Fetch-Dest");
 const isIframeRequest = secFetchDest === "iframe";
const request = (coepCredentialless && r.mode === "no-cors")
 ? new Request(r, {
 credentials: "omit",
 })
 : r;
 event.respondWith(
 fetch(request)
 .then((response) => {
 if (response.status === 0) {
 return response;
 }
// For iframe requests, don't add isolation headers (allows embedding)
 if (isIframeRequest) {
 return response;
 }
const newHeaders = new Headers(response.headers);
 newHeaders.set("Cross-Origin-Embedder-Policy",
 coepCredentialless ? "credentialless" : "require-corp"
 );
 if (!coepCredentialless) {
 newHeaders.set("Cross-Origin-Resource-Policy", "cross-origin");
 }
 newHeaders.set("Cross-Origin-Opener-Policy", "same-origin");
return new Response(response.body, {
 status: response.status,
 statusText: response.statusText,
 headers: newHeaders,
 });
 })
 .catch((e) => console.error(e))
 );
 });
} else {
 (() => {
 // You can customize the behavior of this script through a global `coi` variable.
 const coi = {
 shouldRegister: () => true,
 shouldDeregister: () => false,
 coepCredentialless: () => !(window.chrome || window.netscape),
 doReload: () => window.location.reload(),
 quiet: false,
 ...window.coi
 };
const n = navigator;
if (n.serviceWorker && n.serviceWorker.controller) {
 n.serviceWorker.controller.postMessage({
 type: "coepCredentialless",
 value: coi.coepCredentialless(),
 });
if (coi.shouldDeregister()) {
 n.serviceWorker.controller.postMessage({ type: "deregister" });
 }
 }
// If we're already coi: do nothing. Perhaps it's due to this script doing its job, or COOP/COEP are
 // already set from the origin server. Also if the browser has no notion of crossOriginIsolated, just give up here.
 if (window.crossOriginIsolated !== false || !coi.shouldRegister()) return;
if (!window.isSecureContext) {
 !coi.quiet && console.log("COOP/COEP Service Worker not registered, a secure context is required.");
 return;
 }
// In some environments (e.g. Chrome incognito mode) this won't be available
 if (n.serviceWorker) {
 n.serviceWorker.register(window.document.currentScript.src).then(
 (registration) => {
 !coi.quiet && console.log("COOP/COEP Service Worker registered", registration.scope);
registration.addEventListener("updatefound", () => {
 !coi.quiet && console.log("Reloading page to make use of updated COOP/COEP Service Worker.");
 coi.doReload();
 });
// If the registration is active, but it's not controlling the page
 if (registration.active && !n.serviceWorker.controller) {
 !coi.quiet && console.log("Reloading page to make use of COOP/COEP Service Worker.");
 coi.doReload();
 }
 },
 (err) => {
 !coi.quiet && console.error("COOP/COEP Service Worker failed to register:", err);
 }
 );
 }
 })();
}