From 70443b54a29b3ea56c0d3f3f5f1a478d1f248ef7 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Fri, 23 Jul 2021 20:34:04 +0100 Subject: [PATCH] Set AllowedHeaders on API CORS handler (#16524) Backport #16524 Set AllowedHeaders on API CORS handler and add missing Access-Control-Expose-Headers to pull API. Fix #16100 Signed-off-by: Andrew Thornton --- routers/api/v1/api.go | 1 + routers/api/v1/repo/pull.go | 1 + 2 files changed, 2 insertions(+) diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 4258ea5dc3006..62452f6580a6e 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -569,6 +569,7 @@ func Routes() *web.Route { //setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option AllowedMethods: setting.CORSConfig.Methods, AllowCredentials: setting.CORSConfig.AllowCredentials, + AllowedHeaders: []string{"Authorization", "X-CSRFToken", "X-Gitea-OTP"}, MaxAge: int(setting.CORSConfig.MaxAge.Seconds()), })) } diff --git a/routers/api/v1/repo/pull.go b/routers/api/v1/repo/pull.go index 66bcabfd38c41..6e93ac02f4825 100644 --- a/routers/api/v1/repo/pull.go +++ b/routers/api/v1/repo/pull.go @@ -1254,5 +1254,6 @@ func GetPullRequestCommits(ctx *context.APIContext) { ctx.Header().Set("X-Total-Count", fmt.Sprintf("%d", totalNumberOfCommits)) ctx.Header().Set("X-PageCount", strconv.Itoa(totalNumberOfPages)) ctx.Header().Set("X-HasMore", strconv.FormatBool(listOptions.Page < totalNumberOfPages)) + ctx.Header().Set("Access-Control-Expose-Headers", "X-Total-Count, X-PerPage, X-Total, X-PageCount, X-HasMore, Link") ctx.JSON(http.StatusOK, &apiCommits) }