authorization: restrict CORS headers on non-options requests

Signed-off-by:  Eric Callahan <arksine.code@gmail.com>
This commit is contained in:
Arksine 2021-05-23 20:36:26 -04:00
parent 60d6c748ef
commit aa9641024a
1 changed files with 9 additions and 8 deletions

View File

@ -613,14 +613,15 @@ class Authorization:
if req_hdlr is None: if req_hdlr is None:
return return
req_hdlr.set_header("Access-Control-Allow-Origin", origin) req_hdlr.set_header("Access-Control-Allow-Origin", origin)
req_hdlr.set_header( if req_hdlr.request.method == "OPTIONS":
"Access-Control-Allow-Methods", req_hdlr.set_header(
"GET, POST, PUT, DELETE, OPTIONS") "Access-Control-Allow-Methods",
req_hdlr.set_header( "GET, POST, PUT, DELETE, OPTIONS")
"Access-Control-Allow-Headers", req_hdlr.set_header(
"Origin, Accept, Content-Type, X-Requested-With, " "Access-Control-Allow-Headers",
"X-CRSF-Token, Authorization, X-Access-Token, " "Origin, Accept, Content-Type, X-Requested-With, "
"X-Api-Key") "X-CRSF-Token, Authorization, X-Access-Token, "
"X-Api-Key")
def close(self) -> None: def close(self) -> None:
self.prune_handler.stop() self.prune_handler.stop()