From dd9d8151781b7c551099112459f4fe1d16fd48e1 Mon Sep 17 00:00:00 2001 From: Davide Porrovecchio Date: Tue, 24 Jul 2018 02:28:23 +0200 Subject: [PATCH] FIX: Add User Api Key headers to CORS - add User-Api-Key and User-Api-Client-Id to Access-Control-Allow-Headers - update test --- config/initializers/008-rack-cors.rb | 2 +- spec/components/hijack_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/initializers/008-rack-cors.rb b/config/initializers/008-rack-cors.rb index 689cdd3e2ea..e46e635a165 100644 --- a/config/initializers/008-rack-cors.rb +++ b/config/initializers/008-rack-cors.rb @@ -39,7 +39,7 @@ class Discourse::Cors end headers['Access-Control-Allow-Origin'] = origin || cors_origins[0] - headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-CSRF-Token, Discourse-Visible' + headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-CSRF-Token, Discourse-Visible, User-Api-Key, User-Api-Client-Id' headers['Access-Control-Allow-Credentials'] = 'true' end diff --git a/spec/components/hijack_spec.rb b/spec/components/hijack_spec.rb index 0a8b44eeee0..3cc9ff25e90 100644 --- a/spec/components/hijack_spec.rb +++ b/spec/components/hijack_spec.rb @@ -107,7 +107,7 @@ describe Hijack do expected = { "Access-Control-Allow-Origin" => "www.rainbows.com", - "Access-Control-Allow-Headers" => "X-Requested-With, X-CSRF-Token, Discourse-Visible", + "Access-Control-Allow-Headers" => "X-Requested-With, X-CSRF-Token, Discourse-Visible, User-Api-Key, User-Api-Client-Id", "Access-Control-Allow-Credentials" => "true" }