From a55227d633ab720d35cdcaeee83aab39d0989552 Mon Sep 17 00:00:00 2001
From: ketankr9 <utsav.krishnan.cse15@iitbhu.ac.in>
Date: Fri, 10 Jan 2020 13:14:51 +0530
Subject: [PATCH] Relaxed CORS restriction from /api/ endpoint, see #46

Now cross-site xhr-requests can work inside browser(by scripts or extensions) even if the authentication is enabled.
Tested on an extension which uses /api/ endpoint with authentication feature and solves [https://github.com/ketankr9/cloud-torrent-extension/issues/1#issuecomment-570915569](https://github.com/ketankr9/cloud-torrent-extension/issues/1#issuecomment-570915569)
Note: CORS only affects webHandle
---
 server/server_http.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/server/server_http.go b/server/server_http.go
index 38b3f7a60..d644f0c61 100644
--- a/server/server_http.go
+++ b/server/server_http.go
@@ -39,7 +39,12 @@ func (s *Server) webHandle(w http.ResponseWriter, r *http.Request) {
 	}
 	//api call
 	if strings.HasPrefix(r.URL.Path, "/api/") {
-		w.Header().Set("Access-Control-Allow-Headers", "authorization")
+		origin := r.Header.Get("Origin")
+		if origin == "" {
+			origin = "*"
+		}
+		w.Header().Set("Access-Control-Allow-Origin", origin)
+		w.Header().Set("Access-Control-Allow-Credentials", "true")
 		s.restAPIhandle(w, r)
 		return
 	}
@@ -51,7 +56,6 @@ func (s *Server) webHandle(w http.ResponseWriter, r *http.Request) {
 func (s *Server) restAPIhandle(w http.ResponseWriter, r *http.Request) {
 	ret := "Bad Request"
 	if strings.HasPrefix(r.URL.Path, "/api/") {
-		w.Header().Set("Access-Control-Allow-Origin", "*")
 		switch r.Method {
 		case "POST":
 			if err := s.apiPOST(r); err == nil {