CORP header blocks cross-origin availability checks

[mshibanami]

Hi,

I'm currently looking for a way to check the availability of a Quetre instance from a web page under a different origin. Is that possible?

Currently, I'm trying to check it by running the following JS code:

new Promise((resolve) => {
    const img = new Image();
    const timer = setTimeout(() => {
        img.src = '';
        resolve(false);
    }, 3000);
    img.onload = () => {
        clearTimeout(timer);
        resolve(true);
    };
    img.onerror = () => {
        clearTimeout(timer);
        resolve(false);
    };
    img.src = "https://quetre.iket.me/favicon.ico";
});

However, because of cross-origin-resource-policy: same-origin in the response header of https://quetre.iket.me/favicon.ico, I can't use this method.

Is there a chance that Quetre will set crossOriginResourcePolicy: false in the helmet settings here: https://github.com/zyachel/quetre/blob/main/app.js#L30

Or apply this to the favicon.ico only:

app.get('/favicon.ico', (req, res, next) => {
  res.removeHeader("Cross-Origin-Resource-Policy");
  next();
});

Context of this question

I'm currently making a small web tool called jisk. It has a feature to automatically check the available instances, similar to Libredirect. However, due to this issue, my tool can't check it...

[zyachel]

i can add a dedicated health check route if that's what you're after

[mshibanami]

@zyachel Thanks. Yes, that sounds great to me as long as it’s fetch-able from a different origin.