From 48a2876c48647b45b38cf596311649fe58a8246d Mon Sep 17 00:00:00 2001
From: Nick O'Leary <nick.oleary@gmail.com>
Date: Fri, 14 Jun 2024 15:18:40 +0100
Subject: [PATCH 1/2] Add support for httpStaticCors

---
 packages/node_modules/node-red/package.json | 1 +
 packages/node_modules/node-red/red.js       | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/packages/node_modules/node-red/package.json b/packages/node_modules/node-red/package.json
index 4d0f8e519..0b7fbb1a9 100644
--- a/packages/node_modules/node-red/package.json
+++ b/packages/node_modules/node-red/package.json
@@ -37,6 +37,7 @@
         "@node-red/nodes": "4.0.0-beta.4",
         "basic-auth": "2.0.1",
         "bcryptjs": "2.4.3",
+        "cors": "2.8.5",
         "express": "4.19.2",
         "fs-extra": "11.2.0",
         "node-red-admin": "^3.1.3",
diff --git a/packages/node_modules/node-red/red.js b/packages/node_modules/node-red/red.js
index b97806ca8..5f3c9da25 100755
--- a/packages/node_modules/node-red/red.js
+++ b/packages/node_modules/node-red/red.js
@@ -44,6 +44,8 @@ var nopt = require("nopt");
 var path = require("path");
 const os = require("os")
 var fs = require("fs-extra");
+const cors = require('cors');
+
 var RED = require("./lib/red.js");
 
 var server;
@@ -441,10 +443,16 @@ httpsPromise.then(function(startupHttps) {
             const thisRoot = sp.root || "/";
             const options = sp.options;
             const middleware = sp.middleware;
+            const corsOptions = sp.cors || settings.httpStaticCors;
             if(appUseMem[filePath + "::" + thisRoot]) {
                 continue;// this path and root already registered!
             }
             appUseMem[filePath + "::" + thisRoot] = true;
+            if (corsOptions) {
+                const corsHandler = cors(corsOptions);
+                app.options(thisRoot, corsHandler)
+                app.use(thisRoot, corsHandler)
+            }
             if (settings.httpStaticAuth) {
                 app.use(thisRoot, basicAuthMiddleware(settings.httpStaticAuth.user, settings.httpStaticAuth.pass));
             }

From dbd3f0f85bd938ec5d121d86dc130db909dfb719 Mon Sep 17 00:00:00 2001
From: Nick O'Leary <nick.oleary@gmail.com>
Date: Fri, 14 Jun 2024 15:21:02 +0100
Subject: [PATCH 2/2] Add httpStaticCors to default settings file

---
 packages/node_modules/node-red/settings.js | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/packages/node_modules/node-red/settings.js b/packages/node_modules/node-red/settings.js
index d83381da3..e8bb01228 100644
--- a/packages/node_modules/node-red/settings.js
+++ b/packages/node_modules/node-red/settings.js
@@ -139,6 +139,7 @@ module.exports = {
  *  - httpNodeMiddleware
  *  - httpStatic
  *  - httpStaticRoot
+ *  - httpStaticCors
  ******************************************************************************/
 
     /** the tcp port that the Node-RED web server is listening on */
@@ -233,6 +234,9 @@ module.exports = {
      *  OR multiple static sources can be created using an array of objects...
      *  Each object can also contain an options object for further configuration.
      *  See https://expressjs.com/en/api.html#express.static for available options.
+     *  They can also contain an option `cors` object to set specific Cross-Origin
+     *  Resource Sharing rules for the source. `httpStaticCors` can be used to
+     *  set a default cors policy across all static routes.
      */
     //httpStatic: [
     //    {path: '/home/nol/pics/',    root: "/img/"},
@@ -250,6 +254,16 @@ module.exports = {
      */
     //httpStaticRoot: '/static/',
 
+    /** The following property can be used to configure cross-origin resource sharing
+     * in the http static routes.
+     * See https://github.com/troygoode/node-cors#configuration-options for
+     * details on its contents. The following is a basic permissive set of options:
+     */
+    //httpStaticCors: {
+    //    origin: "*",
+    //    methods: "GET,PUT,POST,DELETE"
+    //},
+
     /** The following property can be used to modify proxy options */
     // proxyOptions: {
     //     mode: "legacy", // legacy mode is for non-strict previous proxy determination logic (node-red < v4 compatible)