From c47065cc29efcbf1c6869cd7b96411e9a91c2274 Mon Sep 17 00:00:00 2001 From: zeripath Date: Wed, 4 Aug 2021 20:57:59 +0100 Subject: [PATCH] Set AllowedHeaders on API CORS handler (#16524) (#16618) Backport #16524 Set AllowedHeaders on API CORS handler and add missing Access-Control-Expose-Headers to pull API. Fix #16100 Signed-off-by: Andrew Thornton --- routers/api/v1/api.go | 1 + routers/api/v1/repo/pull.go | 1 + 2 files changed, 2 insertions(+) diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 4258ea5dc30..62452f6580a 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -569,6 +569,7 @@ func Routes() *web.Route { //setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option AllowedMethods: setting.CORSConfig.Methods, AllowCredentials: setting.CORSConfig.AllowCredentials, + AllowedHeaders: []string{"Authorization", "X-CSRFToken", "X-Gitea-OTP"}, MaxAge: int(setting.CORSConfig.MaxAge.Seconds()), })) } diff --git a/routers/api/v1/repo/pull.go b/routers/api/v1/repo/pull.go index 66bcabfd38c..6e93ac02f48 100644 --- a/routers/api/v1/repo/pull.go +++ b/routers/api/v1/repo/pull.go @@ -1254,5 +1254,6 @@ func GetPullRequestCommits(ctx *context.APIContext) { ctx.Header().Set("X-Total-Count", fmt.Sprintf("%d", totalNumberOfCommits)) ctx.Header().Set("X-PageCount", strconv.Itoa(totalNumberOfPages)) ctx.Header().Set("X-HasMore", strconv.FormatBool(listOptions.Page < totalNumberOfPages)) + ctx.Header().Set("Access-Control-Expose-Headers", "X-Total-Count, X-PerPage, X-Total, X-PageCount, X-HasMore, Link") ctx.JSON(http.StatusOK, &apiCommits) }