fix(web): re-apply Content-Encoding and relax X-Frame-Options

R2 Workers binding strips Content-Encoding: gzip from served objects even when stored with that metadata — the Pages Function now re-applies it for .gz keys so browsers decompress the body before parsing as JSON. Change X-Frame-Options from DENY to SAMEORIGIN so the home page can embed /embed.html in its featured-replay iframe (same origin is fine here). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-30 12:48:24 -04:00 · 2026-04-30 12:48:24 -04:00 · ea8318bc10
commit ea8318bc10
parent c397e66239
2 changed files with 8 additions and 1 deletions
--- a/web/functions/r2/[[path]].ts
+++ b/web/functions/r2/[[path]].ts
@ -26,6 +26,13 @@ export const onRequest: PagesFunction<Env> = async (context) => {
 		headers.set('Cache-Control', 'public, max-age=60');
 		headers.set('Access-Control-Allow-Origin', '*');

+		// R2 binding strips Content-Encoding when serving object body, even when
+		// the object was stored with ContentEncoding metadata. Re-apply it so
+		// browsers know to decompress gzipped objects (.json.gz, .gz).
+		if (key.endsWith('.gz') && !headers.has('Content-Encoding')) {
+			headers.set('Content-Encoding', 'gzip');
+		}
+
 		return new Response(object.body, { headers });
 	} catch (err: unknown) {
 		const msg = err instanceof Error ? err.message : String(err);
--- a/web/public/_headers
+++ b/web/public/_headers
@ -14,5 +14,5 @@
 # Default
 /*
  X-Content-Type-Options: nosniff
-  X-Frame-Options: DENY
+  X-Frame-Options: SAMEORIGIN
  X-XSS-Protection: 1; mode=block