From a2c5376d9ac5db328d407d6ba4bd7f21c107df51 Mon Sep 17 00:00:00 2001
From: Otto Richter <otto@codeberg.org>
Date: Sun, 10 Apr 2022 18:11:00 +0200
Subject: [PATCH] Fix CORS / add Access-Control-Allow-Origin * to all methods
 (#69)

The header is not only necessary on the OPTIONS request, but on any method, so I removed the condition.

Serving any workadventure map was broken BTW. We should have tested this :-(

Reviewed-on: https://codeberg.org/Codeberg/pages-server/pulls/69
Reviewed-by: Andreas Shimokawa <ashimokawa@noreply.codeberg.org>
Co-authored-by: Otto Richter <otto@codeberg.org>
Co-committed-by: Otto Richter <otto@codeberg.org>
---
 server/handler.go | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/server/handler.go b/server/handler.go
index 60f5809..8445850 100644
--- a/server/handler.go
+++ b/server/handler.go
@@ -54,19 +54,19 @@ func Handler(mainDomainSuffix, rawDomain []byte,
 		}
 
 		// Allow CORS for specified domains
+		allowCors := false
+		for _, allowedCorsDomain := range allowedCorsDomains {
+			if bytes.Equal(trimmedHost, allowedCorsDomain) {
+				allowCors = true
+				break
+			}
+		}
+		if allowCors {
+			ctx.Response.Header.Set("Access-Control-Allow-Origin", "*")
+			ctx.Response.Header.Set("Access-Control-Allow-Methods", "GET, HEAD")
+		}
+		ctx.Response.Header.Set("Allow", "GET, HEAD, OPTIONS")
 		if ctx.IsOptions() {
-			allowCors := false
-			for _, allowedCorsDomain := range allowedCorsDomains {
-				if bytes.Equal(trimmedHost, allowedCorsDomain) {
-					allowCors = true
-					break
-				}
-			}
-			if allowCors {
-				ctx.Response.Header.Set("Access-Control-Allow-Origin", "*")
-				ctx.Response.Header.Set("Access-Control-Allow-Methods", "GET, HEAD")
-			}
-			ctx.Response.Header.Set("Allow", "GET, HEAD, OPTIONS")
 			ctx.Response.Header.SetStatusCode(fasthttp.StatusNoContent)
 			return
 		}