fix: set Access-Control-Allow-Origin to * for openpgp requests

forwardemail · Feb 27, 2025 · 5cdb010 · 5cdb010
1 parent e522432
commit 5cdb010
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/config/web.js b/config/web.js
@@ -329,6 +329,16 @@ module.exports = (redis) => ({
 
       return next();
     });
+    //
+    // OpenPGP WKD lookup requires this header
+    // > The Access-Control-Allow-Origin: * header is needed to allow OpenPGP clients to fetch the policy from a different domain, bypassing CORS restrictions.
+    // https://www.webkeydirectory.com/[email protected]
+    //
+    app.use(async (ctx, next) => {
+      if (ctx.path.startsWith('/.well-known/openpgpkey'))
+        ctx.set('Access-Control-Allow-Origin', '*');
+      return next();
+    });
     // dynamic security.txt with 1 yr expiry
     // `gpg --clearsign --sign --default-key [email protected] assets/.well-known/security.txt`
     // <https://github.com/js-kyle/koa-security.txt>