enable CORS in cfc_webapp

This is necessary for e-mission/e-mission-phone#1169 to be able to make requests to the server from a browser
JGreenlee · Aug 28, 2024 · 154a9e0 · 154a9e0
1 parent dea6ff4
commit 154a9e0
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/emission/net/api/cfc_webapp.py b/emission/net/api/cfc_webapp.py
@@ -480,6 +480,18 @@ def after_request():
         msTimeNow, duration)
   stats.store_server_api_time(request.params.user_uuid, "%s_%s_cputime" % (request.method, request.path),
         msTimeNow, new_duration)
+
+  # add headers to allow CORS (Cross-Origin Resource Sharing)
+  # Note: this is only needed for requests made from browsers (i.e. JavaScript fetch)
+  # Requests made from native phone code do not have rules about CORS
+  response.headers['Access-Control-Allow-Origin'] = '*'
+  response.headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, OPTIONS'
+  response.headers['Access-Control-Allow-Headers'] = 'Origin, Accept, Content-Type, X-Requested-With, X-CSRF-Token'
+
+# generic route accepting OPTIONS method, needed for CORS preflight
+@route('/<:re:.*>', method='OPTIONS')
+def enable_cors_generic_route():
+    pass
 
 # Auth helpers BEGIN
 # This should only be used by createUserProfile since we may not have a UUID