From 51a39bd693f07316db2b4f4cee6ec685518cbd30 Mon Sep 17 00:00:00 2001
From: Sagar Vora <sagar@resilient.tech>
Date: Mon, 5 Sep 2022 02:10:58 +0530
Subject: [PATCH] fix: only set allowed headers if required

---
 frappe/app.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/frappe/app.py b/frappe/app.py
index 5bf3648941..bace3ff081 100644
--- a/frappe/app.py
+++ b/frappe/app.py
@@ -186,13 +186,13 @@ def set_cors_headers(response):
 
 	# only required for preflight requests
 	if request.method == "OPTIONS":
-		cors_headers.update(
-			{
-				"Access-Control-Allow-Methods": request.headers.get("Access-Control-Request-Method"),
-				"Access-Control-Allow-Headers": request.headers.get("Access-Control-Request-Headers"),
-			}
+		cors_headers["Access-Control-Allow-Methods"] = request.headers.get(
+			"Access-Control-Request-Method"
 		)
 
+		if allowed_headers := request.headers.get("Access-Control-Request-Headers"):
+			cors_headers["Access-Control-Allow-Headers"] = allowed_headers
+
 		# allow browsers to cache preflight requests for upto a day
 		if not frappe.conf.developer_mode:
 			cors_headers["Access-Control-Max-Age"] = "86400"