fix(ui): harden service worker + manifest crossorigin behind auth proxy (FLO-250)#4
Conversation
Behind Cloudflare Access the console threw on every load: - A CORS error because /site.webmanifest was fetched without credentials and 302-redirected cross-origin to the Access login. - `TypeError: Failed to convert value to 'Response'` because the SW catch handler passed `caches.match(request)` (undefined on a miss) straight into `event.respondWith`. Changes: - SW now skips cross-origin requests and the auth-sensitive /site.webmanifest and /sw.js paths, letting the network/auth proxy own them untouched. - Never caches redirected / opaqueredirect responses (auth challenges). - Both catch branches await the cache lookup and fall back to a real Response (503 navigate, 504 otherwise) — respondWith never sees undefined. - Bump CACHE_NAME paperclip-v2 -> paperclip-v3 so the new worker replaces the cached old one. - index.html manifest link gains crossorigin="use-credentials". Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Warning Review limit reached
More reviews will be available in 53 minutes and 7 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more credits in the billing tab to continue. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…xy (#4) Behind Cloudflare Access the console threw on every load: - A CORS error because /site.webmanifest was fetched without credentials and 302-redirected cross-origin to the Access login. - `TypeError: Failed to convert value to 'Response'` because the SW catch handler passed `caches.match(request)` (undefined on a miss) straight into `event.respondWith`. Changes: - SW now skips cross-origin requests and the auth-sensitive /site.webmanifest and /sw.js paths, letting the network/auth proxy own them untouched. - Never caches redirected / opaqueredirect responses (auth challenges). - Both catch branches await the cache lookup and fall back to a real Response (503 navigate, 504 otherwise) — respondWith never sees undefined. - Bump CACHE_NAME paperclip-v2 -> paperclip-v3 so the new worker replaces the cached old one. - index.html manifest link gains crossorigin="use-credentials". Co-authored-by: Wayland <wayland@agents.flopbut.local> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Why
Behind Cloudflare Access the console throws on every load:
/site.webmanifestis fetched without credentials and gets 302-redirected cross-origin to the Access login.TypeError: Failed to convert value to 'Response'because the SW catch handler passescaches.match(request)(resolves toundefinedon a miss) intoevent.respondWith.What changed
ui/public/sw.js(full replacement):/site.webmanifest+/sw.jspaths via aPASS_THROUGHset — the network / auth proxy owns them untouched (norespondWith).redirected/opaqueredirectresponses (auth challenges).catchbranchesawaitthe cache lookup and fall back to a real Response —503for navigations,504otherwise — sorespondWithis never handedundefined. Fixes the latentcaches.match("/") || new Response(...)bug (a Promise is always truthy, so the fallback never ran).CACHE_NAMEpaperclip-v2→paperclip-v3so the new worker replaces the cached old one.ui/index.html:crossorigin="use-credentials".Decision lenses
Verification
node --check ui/public/sw.jspasses.respondWithnever handed a non-Response: bothcatchbranchesawaitthen|| new Response(...).redirected/opaqueredirectnot intercepted or cached;/site.webmanifestand/sw.jsreturnearly.caches.match('/') || ...truthy-Promise bug fixed by awaiting.CACHE_NAMEbumped topaperclip-v3.crossorigin="use-credentials".Docs
No new env var / UI page / endpoint — no README change required.
Closes FLO-250 (impl ticket FLO-251).