From 7b1da527a6dfd453a3d3d16ef2acd64565107991 Mon Sep 17 00:00:00 2001
From: vpl <vpl@vpl.me>
Date: Tue, 1 Oct 2019 17:26:58 +0200
Subject: [PATCH] Change CORS headers

Only add Allow-Origin to all requests and move the others to preflight OPTIONS request.
If Origin is `file://` change it to the wildcard.
---
 src/util.rs | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/src/util.rs b/src/util.rs
index 741f06a8..39ee1f99 100644
--- a/src/util.rs
+++ b/src/util.rs
@@ -42,6 +42,13 @@ impl CORS {
             _ => "".to_string(),
         }
     }
+
+    fn valid_url(url: String) -> String {
+        match url.as_ref() {
+            "file://" => "*".to_string(),
+            _ => url,
+        }
+    }
 }
 
 impl Fairing for CORS {
@@ -56,21 +63,17 @@ impl Fairing for CORS {
         let req_headers = request.headers();
 
         // We need to explicitly get the Origin header for Access-Control-Allow-Origin
-        let req_allow_origin = CORS::get_header(&req_headers, "Origin");
+        let req_allow_origin = CORS::valid_url(CORS::get_header(&req_headers, "Origin"));
 
-        let req_allow_headers = CORS::get_header(&req_headers, "Access-Control-Request-Headers");
+        response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin));
 
-        let req_allow_method = CORS::get_header(&req_headers,"Access-Control-Request-Method");
+        if request.method() == Method::Options {
+            let req_allow_headers = CORS::get_header(&req_headers, "Access-Control-Request-Headers");
+            let req_allow_method = CORS::get_header(&req_headers,"Access-Control-Request-Method");
 
-        if request.method() == Method::Options || response.content_type() == Some(ContentType::JSON) {
-            // Requests with credentials need explicit values since they do not allow wildcards.
-            response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin));
             response.set_header(Header::new("Access-Control-Allow-Methods", req_allow_method));
             response.set_header(Header::new("Access-Control-Allow-Headers", req_allow_headers));
             response.set_header(Header::new("Access-Control-Allow-Credentials", "true"));
-        }
-
-        if request.method() == Method::Options {
             response.set_status(Status::Ok);
             response.set_header(ContentType::Plain);
             response.set_sized_body(Cursor::new(""));