From e7dbb1605bd31f790db7d885c52c70b092fc22b0 Mon Sep 17 00:00:00 2001 From: colin Date: Thu, 3 Jul 2025 18:31:20 -0400 Subject: [PATCH] Fix CORS headers for API endpoints to support all common headers and client types --- docker/ploughshares/app.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/docker/ploughshares/app.py b/docker/ploughshares/app.py index dd358e4..ebc3a6e 100644 --- a/docker/ploughshares/app.py +++ b/docker/ploughshares/app.py @@ -154,8 +154,13 @@ def add_api_headers(response): # Add CORS headers for API routes response.headers['Access-Control-Allow-Origin'] = '*' response.headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE, OPTIONS' - response.headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization' + response.headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization, X-Requested-With, Accept, Origin, Cache-Control' + response.headers['Access-Control-Allow-Credentials'] = 'true' + response.headers['Access-Control-Max-Age'] = '3600' response.headers['Cross-Origin-Resource-Policy'] = 'cross-origin' + # Remove COEP for API routes as it can block some clients + if 'Cross-Origin-Embedder-Policy' in response.headers: + del response.headers['Cross-Origin-Embedder-Policy'] else: # For UI routes, add additional security headers for header, value in additional_headers.items(): @@ -169,7 +174,9 @@ def api_options(path): response = jsonify({'status': 'ok'}) response.headers['Access-Control-Allow-Origin'] = '*' response.headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE, OPTIONS' - response.headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization' + response.headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization, X-Requested-With, Accept, Origin, Cache-Control' + response.headers['Access-Control-Allow-Credentials'] = 'true' + response.headers['Access-Control-Max-Age'] = '3600' return response # Create a test API endpoint to verify the CSP settings