fix: only set allowed headers if required

2022-09-05 02:10:58 +05:30 · 2022-09-05 02:10:58 +05:30 · 51a39bd693
commit 51a39bd693
parent 5cb440c27f
1 changed files with 5 additions and 5 deletions
--- a/frappe/app.py
+++ b/frappe/app.py
@ -186,13 +186,13 @@ def set_cors_headers(response):

 	# only required for preflight requests
 	if request.method == "OPTIONS":
-		cors_headers.update(
-			{
-				"Access-Control-Allow-Methods": request.headers.get("Access-Control-Request-Method"),
-				"Access-Control-Allow-Headers": request.headers.get("Access-Control-Request-Headers"),
-			}
+		cors_headers["Access-Control-Allow-Methods"] = request.headers.get(
+			"Access-Control-Request-Method"
 		)

+		if allowed_headers := request.headers.get("Access-Control-Request-Headers"):
+			cors_headers["Access-Control-Allow-Headers"] = allowed_headers
+
 		# allow browsers to cache preflight requests for upto a day
 		if not frappe.conf.developer_mode:
 			cors_headers["Access-Control-Max-Age"] = "86400"