fix: enhancing the security of image proxy (#3176)

.github/workflows/workers.yml

@@ -18,4 +18,5 @@ jobs:
         uses: cloudflare/wrangler-action@2.0.0
         with:
           apiToken: ${{ secrets.CF_API_TOKEN }}
+          accountId: ${{ secrets.CF_ACCOUNT_ID }}
           workingDirectory: 'packages/workers'

packages/workers/src/index.ts

@@ -39,7 +39,12 @@ async function proxyImage(request: Request): Promise<Response> {
 
   const response = await fetch(imageRequest);
   const modifiedResponse = new Response(response.body);
-  modifiedResponse.headers.set('Access-Control-Allow-Origin', '*');
+
+  modifiedResponse.headers.set(
+    'Access-Control-Allow-Origin',
+    request.headers.get('Origin') ?? 'null'
+  );
+  modifiedResponse.headers.set('Vary', 'Origin');
   modifiedResponse.headers.set('Access-Control-Allow-Methods', 'GET');
 
   return modifiedResponse;
@@ -47,7 +52,7 @@ async function proxyImage(request: Request): Promise<Response> {
 
 const handler = {
   async fetch(request: Request) {
-    if (!isOriginAllowed(request.headers.get('Origin') || '', ALLOW_ORIGIN)) {
+    if (!isOriginAllowed(request.headers.get('Origin') ?? '', ALLOW_ORIGIN)) {
       return new Response('unauthorized', { status: 401 });
     }