From c6e04257cc0673fe73a1b7170f6150a8adc55559 Mon Sep 17 00:00:00 2001
From: sapphi-red <49056869+sapphi-red@users.noreply.github.com>
Date: Wed, 17 Dec 2025 14:23:43 +0900
Subject: [PATCH] fix: allow no-cors requests for non-script tag requests

---
 .../server/middlewares/rejectNoCorsRequest.ts |  8 +++--
 .../fs-serve/__tests__/fs-serve.spec.ts       | 35 +++++++++++++++++--
 2 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/packages/vite/src/node/server/middlewares/rejectNoCorsRequest.ts b/packages/vite/src/node/server/middlewares/rejectNoCorsRequest.ts
index 29c67af9dab9f1..ebc025aca37cc4 100644
--- a/packages/vite/src/node/server/middlewares/rejectNoCorsRequest.ts
+++ b/packages/vite/src/node/server/middlewares/rejectNoCorsRequest.ts
@@ -21,10 +21,14 @@ export function rejectNoCorsRequestMiddleware(): Connect.NextHandleFunction {
     // we choose to reject the request to be safer in case the request handler has any side-effects.
     if (
       req.headers['sec-fetch-mode'] === 'no-cors' &&
-      req.headers['sec-fetch-site'] !== 'same-origin'
+      req.headers['sec-fetch-site'] !== 'same-origin' &&
+      // we only need to block classic script requests
+      req.headers['sec-fetch-dest'] === 'script'
     ) {
       res.statusCode = 403
-      res.end('Cross-origin requests must be made with CORS mode enabled.')
+      res.end(
+        'Cross-origin requests for classic scripts must be made with CORS mode enabled. Make sure to set the "crossorigin" attribute on your <script> tag.',
+      )
       return
     }
     return next()
diff --git a/playground/fs-serve/__tests__/fs-serve.spec.ts b/playground/fs-serve/__tests__/fs-serve.spec.ts
index d48c6e4d17072f..a728a22fc5aff4 100644
--- a/playground/fs-serve/__tests__/fs-serve.spec.ts
+++ b/playground/fs-serve/__tests__/fs-serve.spec.ts
@@ -614,12 +614,43 @@ test.runIf(isServe)(
     })
     expect(res.statusCode).toBe(403)
     const body = Buffer.concat(await ArrayFromAsync(res)).toString()
-    expect(body).toBe(
-      'Cross-origin requests must be made with CORS mode enabled.',
+    expect(body).toContain(
+      'Cross-origin requests for classic scripts must be made with CORS mode enabled.',
     )
   },
 )
 
+test.runIf(isServe)(
+  'load image with no-cors mode from a different origin should be allowed',
+  async () => {
+    const viteTestUrlUrl = new URL(viteTestUrl)
+
+    // NOTE: fetch cannot be used here as `fetch` sets some headers automatically
+    const res = await new Promise<http.IncomingMessage>((resolve, reject) => {
+      http
+        .get(
+          viteTestUrl + '/src/code.js',
+          {
+            headers: {
+              'Sec-Fetch-Dest': 'image',
+              'Sec-Fetch-Mode': 'no-cors',
+              'Sec-Fetch-Site': 'same-site',
+              Origin: 'http://vite.dev',
+              Host: viteTestUrlUrl.host,
+            },
+          },
+          (res) => {
+            resolve(res)
+          },
+        )
+        .on('error', (e) => {
+          reject(e)
+        })
+    })
+    expect(res.statusCode).not.toBe(403)
+  },
+)
+
 // Note: Array.fromAsync is only supported in Node.js 22+
 async function ArrayFromAsync<T>(
   asyncIterable: AsyncIterable<T>,