From 2cbea23d700df9a45899e5de40e93e1a73354ce1 Mon Sep 17 00:00:00 2001
From: Drew Noel <drew.noel@aon.com>
Date: Fri, 11 Nov 2022 01:39:27 -0500
Subject: Add configuration for CORS allowed headers (#21747)

This PR enhances the CORS middleware usage by allowing for the headers
to be configured in `app.ini`.

Fixes #21746

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 routers/api/v1/api.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'routers/api')

diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 0d11674aa9..4b27270840 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -617,7 +617,7 @@ func Routes(ctx gocontext.Context) *web.Route {
 			// setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
 			AllowedMethods:   setting.CORSConfig.Methods,
 			AllowCredentials: setting.CORSConfig.AllowCredentials,
-			AllowedHeaders:   []string{"Authorization", "X-Gitea-OTP"},
+			AllowedHeaders:   append([]string{"Authorization", "X-Gitea-OTP"}, setting.CORSConfig.Headers...),
 			MaxAge:           int(setting.CORSConfig.MaxAge.Seconds()),
 		}))
 	}
-- 
cgit v1.2.3