Flask Application for entering data
prompt engineering
I have a website that is hosted on cloudfare. Assets are stored in a private bucket on backblaze and a cloudfare worker uses the key to retrieve assets.
what the worker (old mud) does
Checks who is asking for the file – For most files, it only lets requests come from your allowed websites (via Origin or Referer). PDFs are special: they bypass this so they can show in iframes.
Handles browser “preflight” requests – Some browsers ask permission before fetching a file (OPTIONS requests). The Worker responds correctly so browsers don’t block the request.
Gets the file from Backblaze B2 – It uses your secret key to ask Backblaze for the private file and downloads it.
Adds headers for browsers – It sets caching, CORS (so JS can fetch it), and for PDFs specifically it sets inline so the file can display in an iframe instead of forcing a download.
Returns the file to the browser – After all checks and header tweaks, it sends the file back so the browser can display or download it safely.
const ALLOWED_ORIGINS = [
"https://christopherpaine.org",
"http://localhost:4000"
];
addEventListener("fetch", event => {
event.respondWith(handleRequest(event.request));
});
async function handleRequest(request) {
const origin = request.headers.get("Origin") || "";
const referer = request.headers.get("Referer") || "";
// ---- CORS headers ----
const corsHeaders = new Headers();
corsHeaders.set("Access-Control-Allow-Origin", origin || "*");
corsHeaders.set("Vary", "Origin");
corsHeaders.set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS");
corsHeaders.set("Access-Control-Allow-Headers", "Authorization, Content-Type");
corsHeaders.set("Access-Control-Expose-Headers", "Content-Disposition");
// Handle preflight requests
if (request.method === "OPTIONS") {
return new Response(null, { status: 204, headers: corsHeaders });
}
// ---- Resolve asset path ----
const url = new URL(request.url);
const assetPath = url.pathname.replace("/private_assets/", "");
// ---- Origin / Referer gate ----
// PDFs bypass origin/referer check to allow iframe embedding
if (!assetPath.endsWith(".pdf")) {
if (!ALLOWED_ORIGINS.some(o => origin.startsWith(o) || referer.startsWith(o))) {
return new Response("Forbidden", { status: 403, headers: corsHeaders });
}
}
// ---- Authorize with Backblaze B2 ----
const authResponse = await fetch(
"https://api.backblazeb2.com/b2api/v2/b2_authorize_account",
{
headers: {
"Authorization": "Basic " + btoa("003f18b31f77ee90000000004:K003m+xPsN4IVu2o0WCqHXe+wgujA48")
}
}
);
const authData = await authResponse.json();
const downloadUrl = `${authData.downloadUrl}/file/cp-private-assets/${assetPath}`;
// ---- Fetch file ----
const fileResponse = await fetch(downloadUrl, {
headers: { "Authorization": authData.authorizationToken }
});
if (!fileResponse.ok) {
const text = await fileResponse.text();
return new Response(
`B2 error ${fileResponse.status}:\n${text}`,
{ status: 500, headers: { "Content-Type": "text/plain", ...Object.fromEntries(corsHeaders) } }
);
}
// ---- Forward file + headers ----
const headers = new Headers(fileResponse.headers);
// Set caching
headers.set("Cache-Control", "public, max-age=31536000");
// Merge CORS
for (const [k, v] of corsHeaders) {
headers.set(k, v);
}
// ✅ PDF fix for iframes
if (assetPath.endsWith(".pdf")) {
headers.set("Content-Type", "application/pdf");
headers.set("Content-Disposition", "inline");
headers.delete("X-Frame-Options");
headers.delete("Content-Security-Policy");
}
return new Response(fileResponse.body, { headers });
}