Merge pull request #3012 from coreos-inc/access-control-header

Add X-Requested-With header to allowed CORS headers
2018-02-21 14:27:36 -05:00 · 2018-02-21 14:27:36 -05:00 · 6220df4f88
commit 6220df4f88
parent f851693095 bcd9b680fa
1 changed files with 4 additions and 2 deletions
--- a/endpoints/api/init.py
+++ b/endpoints/api/init.py
@ -32,8 +32,10 @@ logger = logging.getLogger(__name__)
 api_bp = Blueprint('api', __name__)


+CROSS_DOMAIN_HEADERS = ['Authorization', 'Content-Type', 'X-Requested-With']
+
 class ApiExceptionHandlingApi(Api):
-  @crossdomain(origin='*', headers=['Authorization', 'Content-Type'])
+  @crossdomain(origin='*', headers=CROSS_DOMAIN_HEADERS)
  def handle_error(self, error):
    return super(ApiExceptionHandlingApi, self).handle_error(error)

@ -41,7 +43,7 @@ class ApiExceptionHandlingApi(Api):
 api = ApiExceptionHandlingApi()
 api.init_app(api_bp)
 api.decorators = [csrf_protect(),
-                  crossdomain(origin='*', headers=['Authorization', 'Content-Type']),
+                  crossdomain(origin='*', headers=CROSS_DOMAIN_HEADERS),
                  process_oauth, time_decorator(api_bp.name, metric_queue),
                  require_xhr_from_browser]