From 3bfda51ed9efd7a95cd40f5c063446ab6c03ff63 Mon Sep 17 00:00:00 2001
From: Luiz Ferraz <luiz@lferraz.com>
Date: Mon, 15 Jul 2024 19:53:42 -0300
Subject: [PATCH] Ensure requests use 'cors' mode on browsers (#409)

---
 src/contentFetcher.ts       | 7 +++++++
 src/evaluator.ts            | 7 +++++++
 test/contentFetcher.test.ts | 1 +
 test/evaluator.test.ts      | 1 +
 4 files changed, 16 insertions(+)

diff --git a/src/contentFetcher.ts b/src/contentFetcher.ts
index 6010a79e..d0d3c977 100644
--- a/src/contentFetcher.ts
+++ b/src/contentFetcher.ts
@@ -248,6 +248,13 @@ export class ContentFetcher {
         }
 
         return fetch(dynamic ? this.dynamicEndpoint : this.staticEndpoint, {
+            // Set the request mode to 'cors' when running in the browser.
+            // By default, the request mode is computed based on the referrer policy
+            // and response-tainting rules applied to the script that ultimately
+            // initiated the fetch, make this prone to errors due to unrelated
+            // configurations on the page.
+            // https://fetch.spec.whatwg.org/#origin-header
+            mode: typeof window === 'undefined' ? undefined : 'cors',
             credentials: 'omit',
             ...options.extra,
             method: 'POST',
diff --git a/src/evaluator.ts b/src/evaluator.ts
index 216651f8..d052c05f 100644
--- a/src/evaluator.ts
+++ b/src/evaluator.ts
@@ -276,6 +276,13 @@ export class Evaluator {
         }
 
         return fetch(this.endpoint, {
+            // Set the request mode to 'cors' when running in the browser.
+            // By default, the request mode is computed based on the referrer policy
+            // and response-tainting rules applied to the script that ultimately
+            // initiated the fetch, make this prone to errors due to unrelated
+            // configurations on the page.
+            // https://fetch.spec.whatwg.org/#origin-header
+            mode: typeof window === 'undefined' ? undefined : 'cors',
             credentials: 'omit',
             ...options.extra,
             method: 'POST',
diff --git a/test/contentFetcher.test.ts b/test/contentFetcher.test.ts
index 742b148b..1c71a3f5 100644
--- a/test/contentFetcher.test.ts
+++ b/test/contentFetcher.test.ts
@@ -33,6 +33,7 @@ describe('A content fetcher', () => {
     };
 
     const requestMatcher: MockOptions = {
+        functionMatcher: (_, req) => req.mode === 'cors',
         method: 'POST',
         headers: {
             'Content-Type': 'application/json',
diff --git a/test/evaluator.test.ts b/test/evaluator.test.ts
index a69005fb..3fd95d45 100644
--- a/test/evaluator.test.ts
+++ b/test/evaluator.test.ts
@@ -36,6 +36,7 @@ describe('An evaluator', () => {
 
     const query = 'user\'s name';
     const requestMatcher: MockOptions = {
+        functionMatcher: (_, req) => req.mode === 'cors',
         method: 'POST',
         headers: {
             'Content-Type': 'application/json',