From aa9641024a2a8884d9dd212edbf8e3628cdb92df Mon Sep 17 00:00:00 2001
From: Arksine <arksine.code@gmail.com>
Date: Sun, 23 May 2021 20:36:26 -0400
Subject: [PATCH] authorization:  restrict CORS headers on non-options requests

Signed-off-by:  Eric Callahan <arksine.code@gmail.com>
---
 moonraker/components/authorization.py | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/moonraker/components/authorization.py b/moonraker/components/authorization.py
index bbe7431..d83812a 100644
--- a/moonraker/components/authorization.py
+++ b/moonraker/components/authorization.py
@@ -613,14 +613,15 @@ class Authorization:
         if req_hdlr is None:
             return
         req_hdlr.set_header("Access-Control-Allow-Origin", origin)
-        req_hdlr.set_header(
-            "Access-Control-Allow-Methods",
-            "GET, POST, PUT, DELETE, OPTIONS")
-        req_hdlr.set_header(
-            "Access-Control-Allow-Headers",
-            "Origin, Accept, Content-Type, X-Requested-With, "
-            "X-CRSF-Token, Authorization, X-Access-Token, "
-            "X-Api-Key")
+        if req_hdlr.request.method == "OPTIONS":
+            req_hdlr.set_header(
+                "Access-Control-Allow-Methods",
+                "GET, POST, PUT, DELETE, OPTIONS")
+            req_hdlr.set_header(
+                "Access-Control-Allow-Headers",
+                "Origin, Accept, Content-Type, X-Requested-With, "
+                "X-CRSF-Token, Authorization, X-Access-Token, "
+                "X-Api-Key")
 
     def close(self) -> None:
         self.prune_handler.stop()