From f87476d067d467856608663f90be96776f8855bc Mon Sep 17 00:00:00 2001
From: abose <arun@core.ai>
Date: Sun, 19 Apr 2026 19:57:29 +0530
Subject: [PATCH] fix: markdown viewer doesnt appear in prod windows builds

---
 src-tauri/src/main.rs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src-tauri/src/main.rs b/src-tauri/src/main.rs
index 5793f43..03ca5d0 100644
--- a/src-tauri/src/main.rs
+++ b/src-tauri/src/main.rs
@@ -829,8 +829,12 @@ fn main() {
             #[cfg(not(windows))]
                 let window_origin = "phtauri://localhost";
 
+            // Wildcard ACAO so CORS succeeds for null-origin sandboxed iframes (the
+            // markdown viewer is sandboxed without allow-same-origin to contain
+            // untrusted markdown). Safe: phtauri://localhost isn't reachable from
+            // outside the Tauri webview, and these responses carry no credentials.
             let builder = ResponseBuilder::new()
-                .header("Access-Control-Allow-Origin", window_origin)
+                .header("Access-Control-Allow-Origin", "*")
                 .header("Origin", window_origin)
                 .header("Cache-Control", "private, max-age=7776000, immutable") // 3 month cache age expiry
                 .mimetype(&asset.mime_type);