authorization: restrict CORS headers on non-options requests

Signed-off-by: Eric Callahan <arksine.code@gmail.com>
2021-05-23 20:36:26 -04:00 · 2021-05-23 20:36:26 -04:00 · aa9641024a
parent 60d6c748ef
commit aa9641024a
1 changed files with 9 additions and 8 deletions
--- a/moonraker/components/authorization.py
+++ b/moonraker/components/authorization.py
@ -613,14 +613,15 @@ class Authorization:
        if req_hdlr is None:
            return
        req_hdlr.set_header("Access-Control-Allow-Origin", origin)
-        req_hdlr.set_header(
-            "Access-Control-Allow-Methods",
-            "GET, POST, PUT, DELETE, OPTIONS")
-        req_hdlr.set_header(
-            "Access-Control-Allow-Headers",
-            "Origin, Accept, Content-Type, X-Requested-With, "
-            "X-CRSF-Token, Authorization, X-Access-Token, "
-            "X-Api-Key")
+        if req_hdlr.request.method == "OPTIONS":
+            req_hdlr.set_header(
+                "Access-Control-Allow-Methods",
+                "GET, POST, PUT, DELETE, OPTIONS")
+            req_hdlr.set_header(
+                "Access-Control-Allow-Headers",
+                "Origin, Accept, Content-Type, X-Requested-With, "
+                "X-CRSF-Token, Authorization, X-Access-Token, "
+                "X-Api-Key")

    def close(self) -> None:
        self.prune_handler.stop()