send Cross-Origin-Resource-Policy header on all responses (#10420)

* send Cross-Origin-Resource-Policy header on all responses

* don't re-add Access-Control-Allow-Origin on json responses

this is re-adding a header we've already set earlier in the process

* update tests

Author: chris48s

Diff for: core/base-service/legacy-result-sender.js

@@ -17,7 +17,6 @@ function sendSVG(res, askres, end) {
 
 function sendJSON(res, askres, end) {
   askres.setHeader('Content-Type', 'application/json')
-  askres.setHeader('Access-Control-Allow-Origin', '*')
   askres.setHeader('Content-Length', Buffer.byteLength(res, 'utf8'))
   end(null, { template: streamFromString(res) })
 }

Diff for: core/server/server.js

@@ -541,9 +541,12 @@ class Server {
       }
     }
 
-    // https://github.com/badges/shields/issues/3273
     camp.handle((req, res, next) => {
+      // https://github.com/badges/shields/issues/3273
       res.setHeader('Access-Control-Allow-Origin', '*')
+      // https://github.com/badges/shields/issues/10419
+      res.setHeader('Cross-Origin-Resource-Policy', 'cross-origin')
+
       next()
     })
 

Diff for: core/server/server.spec.js

@@ -79,6 +79,7 @@ describe('The server', function () {
       )
       expect(statusCode).to.equal(200)
       expect(headers['access-control-allow-origin']).to.equal('*')
+      expect(headers['cross-origin-resource-policy']).to.equal('cross-origin')
     })
 
     it('should redirect colorscheme PNG badges as configured', async function () {
@@ -133,6 +134,7 @@ describe('The server', function () {
       expect(statusCode).to.equal(200)
       expect(headers['content-type']).to.equal('application/json')
       expect(headers['access-control-allow-origin']).to.equal('*')
+      expect(headers['cross-origin-resource-policy']).to.equal('cross-origin')
       expect(headers['content-length']).to.equal('92')
       expect(() => JSON.parse(body)).not.to.throw()
     })