From e397b564dc26b19e4446df7d990b157c29b377b0 Mon Sep 17 00:00:00 2001
From: marius david <marius@mariusdavid.fr>
Date: Tue, 23 Jul 2024 21:47:25 +0200
Subject: [PATCH] Enable permissive CORS on static file serving

---
 src/lib/Hydra/Controller/Build.pm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/lib/Hydra/Controller/Build.pm b/src/lib/Hydra/Controller/Build.pm
index de2c204d9..73748d3e4 100644
--- a/src/lib/Hydra/Controller/Build.pm
+++ b/src/lib/Hydra/Controller/Build.pm
@@ -237,6 +237,7 @@ sub serveFile {
         # Have the hosted data considered its own origin to avoid being a giant
         # XSS hole.
         $c->response->header('Content-Security-Policy' => 'sandbox allow-scripts');
+        $c->response->header('Access-Control-Allow-Origin', '*');
 
         $c->stash->{'plain'} = { data => grab(cmd => ["nix", "--experimental-features", "nix-command",
                                                       "store", "cat", "--store", getStoreUri(), "$path"]) };