fix: add cors header to allow access from ref.tradetrust.io

[rongquan1]

Summary by CodeRabbit

• Chore
  • Updated CORS headers to allow cross-origin requests from https://ref.tradetrust.io.

[netlify]

✅ Deploy Preview for tradetrust-gallery ready!

Name	Link
🔨 Latest commit	10765de
🔍 Latest deploy log	https://app.netlify.com/projects/tradetrust-gallery/deploys/68f7425b6c9dc300084bb0ee
😎 Deploy Preview	https://deploy-preview-28--tradetrust-gallery.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Walkthrough

Added an Access-Control-Allow-Origin header set to "https://ref.tradetrust.io" in netlify.toml under the existing headers configuration for the /* path, alongside existing security headers like X-Frame-Options and Content-Security-Policy.

Changes

Cohort / File(s)	Summary
CORS header configuration netlify.toml	Added Access-Control-Allow-Origin: https://ref.tradetrust.io header to enable cross-origin requests from the specified origin.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• TradeTrust/gallery#27: Modifies netlify.toml CORS and security header configuration with similar Access-Control-Allow-Origin and related header updates.

Suggested reviewers

• RishabhS7

Poem

🐰 A header hops through the config so fine,
Cross-origin dance at ref.tradetrust.io's line,
CORS now permits this trusted domain,
Let data flow freely, no more refrain! 🌐✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	No pull request description was provided by the author, which means all required sections from the repository's description template are missing. The template specifies four key sections: Summary (background), Changes (detailed modifications), Issues (related issues or stories), and Releases (channel and ETA information). The complete absence of any descriptive content means the description is largely incomplete and does not meet the template requirements for providing context and details about the pull request.	The author should add a pull request description following the repository's template structure. At minimum, the description should include a summary explaining the background and rationale for adding this CORS header, a detailed explanation of the changes made, identification of any related issues or stories, and information about the target release channel and timeline. This will provide reviewers with necessary context to properly evaluate and merge the pull request.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title "fix: add cors header to allow access from ref.tradetrust.io" clearly and concisely describes the main change in the changeset. According to the raw summary, the primary modification is adding an Access-Control-Allow-Origin header set to "https://ref.tradetrust.io" in netlify.toml, which matches the title exactly. The title uses conventional commit conventions with the "fix:" prefix and provides specific information about both the action (add cors header) and the target domain, making it immediately understandable to reviewers scanning the pull request history.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/security

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e91df44 and 10765de.

📒 Files selected for processing (1)

• netlify.toml (1 hunks)

🔇 Additional comments (1)

netlify.toml (1)

8-8: Verify the origin is authorized and CORS scope is complete.

The addition of the Access-Control-Allow-Origin header is a sensible security practice (using a specific origin instead of wildcard). However, a few items need verification:

1. Confirm that https://ref.tradetrust.io is the intended and authorized domain that should have cross-origin access to this gallery.
2. Determine if this origin only needs to make simple cross-origin requests, or if it requires additional CORS headers such as Access-Control-Allow-Methods, Access-Control-Allow-Headers, or Access-Control-Allow-Credentials to support its use case.
3. Note that the existing X-Frame-Options: "DENY" and Content-Security-Policy headers prevent framing—confirm this intentional separation (allow CORS requests but deny embedding) aligns with your security model.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}