Make sure Scratch assets can be displayed in library

The library uses an <img> tag to load and embed the assets, which is different to how assets are loaded in projects
For this to work, the asset needs to have a Cross-Origin-Resource-Policy set.

Author: zetter-rpf

lib/corp_middleware.rb

@@ -12,7 +12,7 @@ def call(env)
     request_origin = env['HTTP_HOST']
     allowed_origins = OriginParser.parse_origins
 
-    if env['PATH_INFO'].start_with?('/rails/active_storage') && allowed_origins.any? do |origin|
+    if env['PATH_INFO'].start_with?('/rails/active_storage', '/api/scratch/assets/internalapi/asset/') && allowed_origins.any? do |origin|
          origin.is_a?(Regexp) ? origin =~ request_origin : origin == request_origin
        end
       headers['Cross-Origin-Resource-Policy'] = 'cross-origin'

spec/lib/corp_middleware_spec.rb

@@ -18,6 +18,12 @@
     expect(headers['Cross-Origin-Resource-Policy']).to eq('cross-origin')
   end
 
+  it 'sets the Cross-Origin-Resource-Policy header for requests to scratch assets' do
+    _status, headers, _response = middleware.call(env.merge('PATH_INFO' => '/api/scratch/assets/internalapi/asset/123/get/'))
+
+    expect(headers['Cross-Origin-Resource-Policy']).to eq('cross-origin')
+  end
+
   it 'sets the Cross-Origin-Resource-Policy header for regex origin' do
     allow(ENV).to receive(:[]).with('ALLOWED_ORIGINS').and_return('/test\.com/')