Improve CORS

Change-Id: Id63a809fb235bfa25942188318f31eeb520adc05
diff --git a/lib/Kalamar.pm b/lib/Kalamar.pm
index 6a6a7cf..8efd919 100644
--- a/lib/Kalamar.pm
+++ b/lib/Kalamar.pm
@@ -110,7 +110,12 @@
 
   $self->hook(
     before_dispatch => sub {
-      shift->res->headers->header('X-Content-Type-Options' => 'nosniff');
+      my $h = shift->res->headers;
+      $h->header('X-Content-Type-Options' => 'nosniff');
+      $h->header(
+        'Access-Control-Allow-Methods' =>
+          $h->header('Access-Control-Allow-Methods') // 'GET, POST, OPTIONS'
+        );
     }
   );
 
@@ -161,6 +166,7 @@
     'default-src' => 'self',
     'style-src' => ['self','unsafe-inline'],
     'script-src' => 'self',
+    'connect-src' => 'self',
     'frame-src' => '*',
     'media-src' => 'none',
     'object-src' => 'self',
diff --git a/lib/Kalamar/Controller/Proxy.pm b/lib/Kalamar/Controller/Proxy.pm
index 8a52c25..65153c7 100644
--- a/lib/Kalamar/Controller/Proxy.pm
+++ b/lib/Kalamar/Controller/Proxy.pm
@@ -41,7 +41,6 @@
 
   my $h = $c->res->headers;
   $h->access_control_allow_origin('*');
-  $h->header('Access-Control-Allow-Methods' => 'GET, OPTIONS');
 
   # Retrieve CORS header
   if ($c->req->method eq 'OPTIONS') {
@@ -49,6 +48,7 @@
     # Remember this option for a day
     $h->header('Access-Control-Max-Age' => '86400');
     $h->header('Access-Control-Allow-Headers' => '*');
+    $h->header('Access-Control-Allow-Methods' => 'GET, OPTIONS');
     return $c->render(
       status => 204,
       text => ''
diff --git a/t/page.t b/t/page.t
index 68e2c25..88479f5 100644
--- a/t/page.t
+++ b/t/page.t
@@ -32,6 +32,7 @@
   ->content_like(qr/<script nonce/)
   ->content_like(qr/document\.body\.classList\.remove\(\'no-js\'\);/)
   ->header_is('X-Content-Type-Options', 'nosniff')
+  ->header_is('Access-Control-Allow-Methods','GET, POST, OPTIONS')
   ;
 
 # Test additions