Skip to content

fix(ui): harden service worker + manifest crossorigin behind auth proxy (FLO-250)#4

Merged
Fl0p merged 1 commit into
masterfrom
flo-250-sw-manifest-hardening
Jun 14, 2026
Merged

fix(ui): harden service worker + manifest crossorigin behind auth proxy (FLO-250)#4
Fl0p merged 1 commit into
masterfrom
flo-250-sw-manifest-hardening

Conversation

@Fl0p

@Fl0p Fl0p commented Jun 14, 2026

Copy link
Copy Markdown

Why

Behind Cloudflare Access the console throws on every load:

  1. A CORS error because /site.webmanifest is fetched without credentials and gets 302-redirected cross-origin to the Access login.
  2. TypeError: Failed to convert value to 'Response' because the SW catch handler passes caches.match(request) (resolves to undefined on a miss) into event.respondWith.

What changed

ui/public/sw.js (full replacement):

  • Skip cross-origin requests and the auth-sensitive /site.webmanifest + /sw.js paths via a PASS_THROUGH set — the network / auth proxy owns them untouched (no respondWith).
  • Never cache redirected / opaqueredirect responses (auth challenges).
  • Both catch branches await the cache lookup and fall back to a real Response503 for navigations, 504 otherwise — so respondWith is never handed undefined. Fixes the latent caches.match("/") || new Response(...) bug (a Promise is always truthy, so the fallback never ran).
  • Bump CACHE_NAME paperclip-v2paperclip-v3 so the new worker replaces the cached old one.

ui/index.html:

  • Manifest link now carries crossorigin="use-credentials".

Decision lenses

  • Trust the boundary — let the auth proxy own redirects; the SW just declines to intercept.
  • Boring tech — readable at 2am.

Verification

  • node --check ui/public/sw.js passes.
  • Static/SW-logic verification of each acceptance criterion (the runtime symptom is specific to a live Cloudflare Access deployment, not reproducible headlessly in this repo):
    • respondWith never handed a non-Response: both catch branches await then || new Response(...).
    • Cross-origin / redirected / opaqueredirect not intercepted or cached; /site.webmanifest and /sw.js return early.
    • Latent caches.match('/') || ... truthy-Promise bug fixed by awaiting.
    • CACHE_NAME bumped to paperclip-v3.
    • Manifest link has crossorigin="use-credentials".

Docs

No new env var / UI page / endpoint — no README change required.

Closes FLO-250 (impl ticket FLO-251).

Behind Cloudflare Access the console threw on every load:
- A CORS error because /site.webmanifest was fetched without credentials
  and 302-redirected cross-origin to the Access login.
- `TypeError: Failed to convert value to 'Response'` because the SW catch
  handler passed `caches.match(request)` (undefined on a miss) straight
  into `event.respondWith`.

Changes:
- SW now skips cross-origin requests and the auth-sensitive /site.webmanifest
  and /sw.js paths, letting the network/auth proxy own them untouched.
- Never caches redirected / opaqueredirect responses (auth challenges).
- Both catch branches await the cache lookup and fall back to a real
  Response (503 navigate, 504 otherwise) — respondWith never sees undefined.
- Bump CACHE_NAME paperclip-v2 -> paperclip-v3 so the new worker replaces
  the cached old one.
- index.html manifest link gains crossorigin="use-credentials".

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 14, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@Fl0p, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 53 minutes and 7 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4225bb0b-460f-4b3f-99c9-b9d1db75e50c

📥 Commits

Reviewing files that changed from the base of the PR and between 90b6374 and 9357d95.

📒 Files selected for processing (2)
  • ui/index.html
  • ui/public/sw.js
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch flo-250-sw-manifest-hardening

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@Fl0p Fl0p merged commit ad664a1 into master Jun 14, 2026
12 of 14 checks passed
Fl0p added a commit that referenced this pull request Jul 3, 2026
…xy (#4)

Behind Cloudflare Access the console threw on every load:
- A CORS error because /site.webmanifest was fetched without credentials
  and 302-redirected cross-origin to the Access login.
- `TypeError: Failed to convert value to 'Response'` because the SW catch
  handler passed `caches.match(request)` (undefined on a miss) straight
  into `event.respondWith`.

Changes:
- SW now skips cross-origin requests and the auth-sensitive /site.webmanifest
  and /sw.js paths, letting the network/auth proxy own them untouched.
- Never caches redirected / opaqueredirect responses (auth challenges).
- Both catch branches await the cache lookup and fall back to a real
  Response (503 navigate, 504 otherwise) — respondWith never sees undefined.
- Bump CACHE_NAME paperclip-v2 -> paperclip-v3 so the new worker replaces
  the cached old one.
- index.html manifest link gains crossorigin="use-credentials".

Co-authored-by: Wayland <wayland@agents.flopbut.local>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant