From c8b7a233a5b05fd4402936a343b0dc1f6442c5ed Mon Sep 17 00:00:00 2001
From: Jonas Rittershofer <jotoeri@users.noreply.github.com>
Date: Sat, 2 Apr 2022 18:04:41 +0200
Subject: Allow CSRF on CORS routes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Julius Härtl <jus@bitgrid.net>
Co-authored-by: Andreas Brinner <andreas@everlanes.net>
Signed-off-by: Jonas Rittershofer <jotoeri@users.noreply.github.com>
---
 lib/public/AppFramework/OCSController.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/public/AppFramework/OCSController.php')

diff --git a/lib/public/AppFramework/OCSController.php b/lib/public/AppFramework/OCSController.php
index 09c28667dcd..11bac9effd5 100644
--- a/lib/public/AppFramework/OCSController.php
+++ b/lib/public/AppFramework/OCSController.php
@@ -61,7 +61,7 @@ abstract class OCSController extends ApiController {
 	public function __construct($appName,
 								IRequest $request,
 								$corsMethods = 'PUT, POST, GET, DELETE, PATCH',
-								$corsAllowedHeaders = 'Authorization, Content-Type, Accept',
+								$corsAllowedHeaders = 'Authorization, Content-Type, Accept, OCS-APIRequest',
 								$corsMaxAge = 1728000) {
 		parent::__construct($appName, $request, $corsMethods,
 							$corsAllowedHeaders, $corsMaxAge);
-- 
cgit v1.2.3