fix: return not found for missing public assets

kof · kof · commit eaefb24c79ff · 2026-04-29T18:43:10.000Z
diff --git a/apps/builder/app/routes/_ui.$.test.ts b/apps/builder/app/routes/_ui.$.test.ts
@@ -0,0 +1,31 @@
+import { afterEach, describe, expect, test, vi } from "vitest";
+import { loader } from "./_ui.$";
+
+describe("_ui.$ loader", () => {
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  test("returns 404 for missing apple touch icons without cross-origin logging", async () => {
+    const consoleInfo = vi.spyOn(console, "info").mockImplementation(() => {});
+    const request = new Request(
+      "https://p-project.apps.webstudio.is/apple-touch-icon-precomposed.png",
+      {
+        headers: {
+          accept: "*/*",
+        },
+      }
+    );
+
+    await expect(
+      loader({
+        request,
+        params: {},
+        context: {},
+      })
+    ).rejects.toMatchObject({
+      status: 404,
+    });
+    expect(consoleInfo).not.toHaveBeenCalled();
+  });
+});
diff --git a/apps/builder/app/routes/_ui.$.tsx b/apps/builder/app/routes/_ui.$.tsx
@@ -6,10 +6,6 @@ import { preventCrossOriginCookie } from "~/services/no-cross-origin-cookie";
 export { ErrorBoundary } from "~/shared/error/error-boundary";
 
 export const loader = async ({ request }: LoaderFunctionArgs) => {
-  preventCrossOriginCookie(request);
-
-  // No data to protect with CSRF token
-
   const url = new URL(request.url);
 
   // Redirecting asset files (e.g., .js, .css) to the dashboard should be avoided.
@@ -28,6 +24,10 @@ export const loader = async ({ request }: LoaderFunctionArgs) => {
     });
   }
 
+  preventCrossOriginCookie(request);
+
+  // No data to protect with CSRF token
+
   const contentType = request.headers.get("Content-Type");
 
   if (contentType?.includes("application/json")) {
