Three issues found while debugging shared-book links:
- /s cover was a broken <img>: the page runs under COEP: require-corp (for
Turso SharedArrayBuffer), and the cover redirects to a cross-origin R2
presigned URL that can't carry a Cross-Origin-Resource-Policy header, so the
browser blocked it. R2 already has CORS, but that's a different header — a
plain no-cors <img> needs CORP, which presigned URLs can't set. Serve /s with
COEP: credentialless, which keeps the page cross-origin isolated (the Turso
replica still boots there) while allowing the image. Scoped to /s; every other
route keeps require-corp.
- Android share links (https://web.readest.com/s/{token}) were run through the
article clipper: useClipUrlIngress excluded annotation links but not share
links, so they fell through to clip_url/readability. Skip parseShareDeepLink
URLs — useOpenShareLink owns that path.
- In-app book import failed with "Origin null is not allowed": the importer
fetched /share/{token}/download with the renderer's fetch, and on the app
(tauri.localhost -> web -> R2) the second cross-origin redirect nulls the
request Origin, which R2's CORS rejects. Use the native HTTP client
(tauriFetch) on the app — it follows the redirect and ignores CORS, needs no
server change, and works against the deployed server. Web is unaffected: its
fetch's redirect to R2 is the first cross-origin hop, so the Origin is
preserved and R2 allows it.
Adds unit tests (middleware COEP per route, clipper skips share links, download
route 302, importer uses native HTTP on app and the renderer fetch on web).
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>