proxy mode: replay improvements for content not captured via proxy mode

pywb/apps/rewriterapp.py

@@ -326,6 +326,10 @@ def render_content(self, wb_url, kwargs, environ):
             'pywb.static_prefix', '/static/')
         is_proxy = ('wsgiprox.proxy_host' in environ)
 
+        # if OPTIONS in proxy mode, just generate the proxy responss
+        if is_proxy and self.is_preflight(environ):
+            return WbResponse.options_response(environ)
+
         environ['pywb.host_prefix'] = host_prefix
 
         if self.use_js_obj_proxy:
@@ -551,6 +555,9 @@ def render_content(self, wb_url, kwargs, environ):
 
         response = WbResponse(status_headers, gen)
 
+        if is_proxy and environ.get('HTTP_ORIGIN'):
+            response.add_access_control_headers(environ)
+
         return response
 
     def format_response(self, response, wb_url, full_prefix, is_timegate, is_proxy):
@@ -817,6 +824,19 @@ def is_ajax(self, environ):
 
         return False
 
+    def is_preflight(self, environ):
+        if environ.get('REQUEST_METHOD') != 'OPTIONS':
+            return False
+
+        if not environ.get('HTTP_ORIGIN'):
+            return False
+
+        if not environ.get('HTTP_ACCESS_CONTROL_REQUEST_METHOD') and not environ.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS'):
+            return False
+
+        return True
+
+
     def get_base_url(self, wb_url, kwargs):
         type_ = kwargs.get('type')
         return self.paths[type_].format(**kwargs)

pywb/apps/wbrequestresponse.py

@@ -186,14 +186,14 @@ def add_access_control_headers(self, env=None):
                 allowed_methods = allowed_methods + ', ' + r_method
             acr_headers = env.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS')
             if acr_headers is not None:
-                self.status_headers.add_header('Access-Control-Allow-Headers', acr_headers)
+                self.status_headers.replace_header('Access-Control-Allow-Headers', acr_headers)
             allowed_origin = env.get('HTTP_ORIGIN', env.get('HTTP_REFERER', allowed_origin))
         if allowed_origin is None:
             allowed_origin = '*'
         self.status_headers.replace_header('Access-Control-Allow-Origin',  allowed_origin)
-        self.status_headers.add_header('Access-Control-Allow-Methods', allowed_methods)
-        self.status_headers.add_header('Access-Control-Allow-Credentials', 'true')
-        self.status_headers.add_header('Access-Control-Max-Age', '1800')
+        self.status_headers.replace_header('Access-Control-Allow-Methods', allowed_methods)
+        self.status_headers.replace_header('Access-Control-Allow-Credentials', 'true')
+        self.status_headers.replace_header('Access-Control-Max-Age', '1800')
         return self
 
     def __repr__(self):

tests/test_proxy.py

@@ -83,6 +83,20 @@ def test_proxy_replay(self, scheme):
         assert res.headers['Memento-Datetime'] == 'Mon, 27 Jan 2014 17:12:51 GMT'
         assert 'Content-Location' not in res.headers
 
+    def test_proxy_replay_cors(self, scheme):
+        res = requests.get('{0}://example.com/'.format(scheme),
+                           proxies=self.proxies,
+                           verify=self.root_ca_file,
+                           headers={'Origin': '{0}://api.example.com/'.format(scheme)})
+
+        assert 'Example Domain' in res.text
+
+        assert res.headers['Access-Control-Allow-Methods'] == 'GET, POST, PUT, OPTIONS, DELETE, PATCH, HEAD, TRACE, CONNECT'
+        assert res.headers['Access-Control-Allow-Credentials'] == 'true'
+        assert res.headers['Access-Control-Allow-Origin'] == '{0}://api.example.com/'.format(scheme)
+
+        assert 'Content-Location' not in res.headers
+
     def test_proxy_replay_change_dt(self, scheme):
         headers = {'Accept-Datetime':  'Mon, 26 Dec 2011 17:12:51 GMT'}
         res = requests.get('{0}://example.com/'.format(scheme),