From 60aa52b753af449f4d66cf98b4745a483c9b3476 Mon Sep 17 00:00:00 2001
From: Aaron Boushley <boushley@extrahop.com>
Date: Thu, 14 May 2015 09:46:36 -0700
Subject: [PATCH] Enable CORS requests to pass necessary headers.

To fully enable session deletion over CORS we need support for passing the
`X-Requested-With` header so that these requests can pass the `check-xhr` filter.

I also allowed the `X-CSRF-Token` to enable the alternative CSRF passing syntax.
---
 config/initializers/08-rack-cors.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/initializers/08-rack-cors.rb b/config/initializers/08-rack-cors.rb
index 8ed2a38e934..83f77d44c1a 100644
--- a/config/initializers/08-rack-cors.rb
+++ b/config/initializers/08-rack-cors.rb
@@ -29,7 +29,8 @@ if GlobalSetting.enable_cors
         end
 
         headers['Access-Control-Allow-Origin'] = origin || cors_origins[0]
-        headers['Access-Control-Allow-Credentials'] = "true"
+        headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-CSRF-Token'
+        headers['Access-Control-Allow-Credentials'] = 'true'
       end
 
       headers