Fix access-control-header for web clients

10 years ago · 5788f191b1
1 changed files with 13 additions and 5 deletions
--- a/lib/expressapp.js
+++ b/lib/expressapp.js
@ -27,18 +27,26 @@ ExpressApp.start = function(opts) {
  WalletService.initialize(opts.WalletService);
  var app = express();
  app.use(function(req, res, next) {
-    res.setHeader('Access-Control-Allow-Origin', '*');
+    if (req.headers.cookie) {
+      res.setHeader('Access-Control-Allow-Origin', '*');
+    }
+    else {
+      res.setHeader('Access-Control-Allow-Origin', req.headers.origin);
+    }
    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, PUT, DELETE');
-    res.setHeader('Access-Control-Allow-Headers', 'X-Requested-With,Content-Type,Authorization');
+    res.setHeader('Access-Control-Allow-Headers', 'x-signature,x-identity,X-Requested-With,Content-Type,Authorization');
    next();
  });
  var allowCORS = function(req, res, next) {
    if ('OPTIONS' == req.method) {
-      res.sendStatus(200);
+      var headers = {};
+      headers['Access-Control-Allow-Credentials'] = true;
+      res.writeHead(200, headers);
      res.end();
-      return;
    }
-    next();
+    else {
+      next();
+    }
  }
  app.use(allowCORS);