diff -r ac0df9272162 roundup/cgi/client.py --- a/roundup/cgi/client.py Tue May 03 13:16:28 2022 -0400 +++ b/roundup/cgi/client.py Wed May 04 08:04:00 2022 +0200 @@ -608,6 +608,35 @@ self.determine_language() # Open the database as the correct user. # TODO: add everything to RestfulDispatcher + + # handle preflight request + if ( self.env['REQUEST_METHOD'] == "OPTIONS" + and self.request.headers.get ("Access-Control-Request-Headers") + and self.request.headers.get ("Access-Control-Request-Method") + and self.request.headers.get ("Origin") + ): + self.setHeader( + "Access-Control-Allow-Origin", + self.request.headers.get ("Origin") + ) + self.setHeader( + "Access-Control-Allow-Methods", + "OPTIONS, GET, POST, PUT, DELETE, PATCH" + ) + self.setHeader( + "Access-Control-Allow-Credentials", + "true" + ) + self.setHeader( + "Access-Control-Allow-Headers", + "Content-Type, x-requested-with, x-http-method-override" + ) + self.setHeader("Access-Control-Max-Age", "86400") + self.setHeader("Content-Type", "text/plain") + self.setHeader("Content-Length", "0") + self.write ("") + return + try: self.determine_user() self.db.tx_Source = "rest" diff -r ac0df9272162 roundup/rest.py --- a/roundup/rest.py Tue May 03 13:16:28 2022 -0400 +++ b/roundup/rest.py Wed May 04 08:04:00 2022 +0200 @@ -2162,7 +2162,10 @@ data_type = ext_type or accept_type or headers.get('Accept') or "invalid" # add access-control-allow-* to support CORS - self.client.setHeader("Access-Control-Allow-Origin", "*") + self.client.setHeader( + "Access-Control-Allow-Origin", + self.client.request.headers.get ("Origin") + ) self.client.setHeader( "Access-Control-Allow-Headers", "Content-Type, Authorization, X-Requested-With, X-HTTP-Method-Override" @@ -2175,6 +2178,10 @@ "Access-Control-Allow-Methods", "HEAD, OPTIONS, GET, POST, PUT, DELETE, PATCH" ) + self.client.setHeader( + "Access-Control-Allow-Credentials", + "true" + ) # Is there an input.value with format json data? # If so turn it into an object that emulates enough # of the FieldStorge methods/props to allow a response.