Merge pull request #266107 from mjbvz/coherent-tuna

Set `Cross-Origin-Resource-Policy` on webview resource responses

Author: mjbvz

src/vs/workbench/contrib/webview/browser/pre/service-worker.js

@@ -286,10 +286,20 @@ async function processResourceRequest(
 			return requestTimeout();
 		}
 
+		/** @type {Record<string, string>} */
+		const accessControlHeaders = {
+			'Access-Control-Allow-Origin': '*',
+			'Cross-Origin-Resource-Policy': 'cross-origin',
+		};
+
 		const entry = result.value;
 		if (entry.status === 304) { // Not modified
 			if (cachedResponse) {
-				return cachedResponse.clone();
+				const r = cachedResponse.clone();
+				for (const [key, value] of Object.entries(accessControlHeaders)) {
+					r.headers.set(key, value);
+				}
+				return r;
 			} else {
 				throw new Error('No cache found');
 			}
@@ -303,11 +313,6 @@ async function processResourceRequest(
 			return notFound();
 		}
 
-		/** @type {Record<string, string>} */
-		const commonHeaders = {
-			'Access-Control-Allow-Origin': '*',
-		};
-
 		const byteLength = entry.data.byteLength;
 
 		const range = event.request.headers.get('range');
@@ -323,7 +328,7 @@ async function processResourceRequest(
 				return new Response(entry.data.slice(start, end + 1), {
 					status: 206,
 					headers: {
-						...commonHeaders,
+						...accessControlHeaders,
 						'Content-range': `bytes 0-${end}/${byteLength}`,
 					}
 				});
@@ -332,7 +337,7 @@ async function processResourceRequest(
 				return new Response(null, {
 					status: 416,
 					headers: {
-						...commonHeaders,
+						...accessControlHeaders,
 						'Content-range': `*/${byteLength}`
 					}
 				});
@@ -341,7 +346,7 @@ async function processResourceRequest(
 
 		/** @type {Record<string, string>} */
 		const headers = {
-			...commonHeaders,
+			...accessControlHeaders,
 			'Content-Type': entry.mime,
 			'Content-Length': byteLength.toString(),
 		};