Improve CORS
Change-Id: Id63a809fb235bfa25942188318f31eeb520adc05
diff --git a/lib/Kalamar.pm b/lib/Kalamar.pm
index 6a6a7cf..8efd919 100644
--- a/lib/Kalamar.pm
+++ b/lib/Kalamar.pm
@@ -110,7 +110,12 @@
$self->hook(
before_dispatch => sub {
- shift->res->headers->header('X-Content-Type-Options' => 'nosniff');
+ my $h = shift->res->headers;
+ $h->header('X-Content-Type-Options' => 'nosniff');
+ $h->header(
+ 'Access-Control-Allow-Methods' =>
+ $h->header('Access-Control-Allow-Methods') // 'GET, POST, OPTIONS'
+ );
}
);
@@ -161,6 +166,7 @@
'default-src' => 'self',
'style-src' => ['self','unsafe-inline'],
'script-src' => 'self',
+ 'connect-src' => 'self',
'frame-src' => '*',
'media-src' => 'none',
'object-src' => 'self',
diff --git a/lib/Kalamar/Controller/Proxy.pm b/lib/Kalamar/Controller/Proxy.pm
index 8a52c25..65153c7 100644
--- a/lib/Kalamar/Controller/Proxy.pm
+++ b/lib/Kalamar/Controller/Proxy.pm
@@ -41,7 +41,6 @@
my $h = $c->res->headers;
$h->access_control_allow_origin('*');
- $h->header('Access-Control-Allow-Methods' => 'GET, OPTIONS');
# Retrieve CORS header
if ($c->req->method eq 'OPTIONS') {
@@ -49,6 +48,7 @@
# Remember this option for a day
$h->header('Access-Control-Max-Age' => '86400');
$h->header('Access-Control-Allow-Headers' => '*');
+ $h->header('Access-Control-Allow-Methods' => 'GET, OPTIONS');
return $c->render(
status => 204,
text => ''
diff --git a/t/page.t b/t/page.t
index 68e2c25..88479f5 100644
--- a/t/page.t
+++ b/t/page.t
@@ -32,6 +32,7 @@
->content_like(qr/<script nonce/)
->content_like(qr/document\.body\.classList\.remove\(\'no-js\'\);/)
->header_is('X-Content-Type-Options', 'nosniff')
+ ->header_is('Access-Control-Allow-Methods','GET, POST, OPTIONS')
;
# Test additions