From 53b52e12745075a8acc016d33945d9d6a7a6aaeb Mon Sep 17 00:00:00 2001
From: Jessica Austin <jessica@axiomdatascience.com>
Date: Fri, 30 Sep 2016 15:03:06 -0800
Subject: [PATCH 1/2] Add CORS headers to /api requests

---
 luigi/server.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/luigi/server.py b/luigi/server.py
index da7b61e3d5..e58d1c5ec9 100644
--- a/luigi/server.py
+++ b/luigi/server.py
@@ -62,6 +62,9 @@ class RPCHandler(tornado.web.RequestHandler):
 
     def initialize(self, scheduler):
         self._scheduler = scheduler
+        self.set_header("Access-Control-Allow-Headers", "Accept, Authorization, Content-Type, Origin")
+        self.set_header("Access-Control-Allow-Methods", "GET, OPTIONS")
+        self.set_header("Access-Control-Allow-Origin", "*")
 
     def get(self, method):
         if method not in RPC_METHODS:

From 7915d90ee6fcf9ac4d9763e30e2887e0f396b27d Mon Sep 17 00:00:00 2001
From: Jessica Austin <jessica@axiomdatascience.com>
Date: Mon, 3 Oct 2016 09:42:48 -0800
Subject: [PATCH 2/2] Add test to verify CORS headers are on requests

---
 test/server_test.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/test/server_test.py b/test/server_test.py
index 22ea1a80e5..c725fb837a 100644
--- a/test/server_test.py
+++ b/test/server_test.py
@@ -98,6 +98,17 @@ def test_404(self):
     def test_api_404(self):
         self._test_404('/api/foo')
 
+    def test_api_cors_headers(self):
+        response = self.fetch('/api/graph')
+        headers = dict(response.headers)
+
+        def _set(name):
+            return set(headers[name].replace(" ", "").split(","))
+
+        self.assertSetEqual(_set("Access-Control-Allow-Headers"), {"Content-Type", "Accept", "Authorization", "Origin"})
+        self.assertSetEqual(_set("Access-Control-Allow-Methods"), {"GET", "OPTIONS"})
+        self.assertEqual(headers["Access-Control-Allow-Origin"], "*")
+
 
 class _ServerTest(unittest.TestCase):
     """