Fix CORS headers for API endpoints to support all common headers and client types
ci/woodpecker/push/woodpecker Pipeline was successful
Details
ci/woodpecker/push/woodpecker Pipeline was successful
Details
This commit is contained in:
parent
b581cfa204
commit
e7dbb1605b
|
|
@ -154,8 +154,13 @@ def add_api_headers(response):
|
|||
# Add CORS headers for API routes
|
||||
response.headers['Access-Control-Allow-Origin'] = '*'
|
||||
response.headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE, OPTIONS'
|
||||
response.headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization'
|
||||
response.headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization, X-Requested-With, Accept, Origin, Cache-Control'
|
||||
response.headers['Access-Control-Allow-Credentials'] = 'true'
|
||||
response.headers['Access-Control-Max-Age'] = '3600'
|
||||
response.headers['Cross-Origin-Resource-Policy'] = 'cross-origin'
|
||||
# Remove COEP for API routes as it can block some clients
|
||||
if 'Cross-Origin-Embedder-Policy' in response.headers:
|
||||
del response.headers['Cross-Origin-Embedder-Policy']
|
||||
else:
|
||||
# For UI routes, add additional security headers
|
||||
for header, value in additional_headers.items():
|
||||
|
|
@ -169,7 +174,9 @@ def api_options(path):
|
|||
response = jsonify({'status': 'ok'})
|
||||
response.headers['Access-Control-Allow-Origin'] = '*'
|
||||
response.headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE, OPTIONS'
|
||||
response.headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization'
|
||||
response.headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization, X-Requested-With, Accept, Origin, Cache-Control'
|
||||
response.headers['Access-Control-Allow-Credentials'] = 'true'
|
||||
response.headers['Access-Control-Max-Age'] = '3600'
|
||||
return response
|
||||
|
||||
# Create a test API endpoint to verify the CSP settings
|
||||
|
|
|
|||
Loading…
Reference in New Issue