Merge pull request #3012 from coreos-inc/access-control-header

Add X-Requested-With header to allowed CORS headers

endpoints/api/__init__.py

@@ -32,8 +32,10 @@ logger = logging.getLogger(__name__)
 api_bp = Blueprint('api', __name__)
 
 
+CROSS_DOMAIN_HEADERS = ['Authorization', 'Content-Type', 'X-Requested-With']
+
 class ApiExceptionHandlingApi(Api):
-  @crossdomain(origin='*', headers=['Authorization', 'Content-Type'])
+  @crossdomain(origin='*', headers=CROSS_DOMAIN_HEADERS)
   def handle_error(self, error):
     return super(ApiExceptionHandlingApi, self).handle_error(error)
 
@@ -41,7 +43,7 @@ class ApiExceptionHandlingApi(Api):
 api = ApiExceptionHandlingApi()
 api.init_app(api_bp)
 api.decorators = [csrf_protect(),
-                  crossdomain(origin='*', headers=['Authorization', 'Content-Type']),
+                  crossdomain(origin='*', headers=CROSS_DOMAIN_HEADERS),
                   process_oauth, time_decorator(api_bp.name, metric_queue),
                   require_xhr_from_browser]