admin: Only write most CORS headers in OPTIONS requests

author: Matthew Holt <mholt@users.noreply.github.com> 2019-12-23 12:46:01 -0700
committer: Matthew Holt <mholt@users.noreply.github.com> 2019-12-23 12:46:01 -0700
commit: 16ee985c22c2fcfa2e108dcc7d3e8ce184fd95ed (patch)
tree: b00ca8be80a3b94c442c31dcf6567512e849fa74
parent: 95ed603de79c66ff76bfe7e42986a2fc8c7a1fa4 (diff)
1 files changed, 6 insertions, 4 deletions
diff --git a/admin.go b/admin.go
index 89c007d..bf11985 100644
--- a/admin.go
+++ b/admin.go
@@ -50,7 +50,7 @@ type AdminConfig struct {
 
 	// The address to which the admin endpoint's listener should
 	// bind itself. Can be any single network address that can be
-	// parsed by Caddy.
+	// parsed by Caddy. Default: localhost:2019
 	Listen string `json:"listen,omitempty"`
 
 	// If true, CORS headers will be emitted, and requests to the
@@ -282,10 +282,12 @@ func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
+		if r.Method == http.MethodOptions {
+			w.Header().Set("Access-Control-Allow-Methods", "OPTIONS, GET, POST, PUT, PATCH, DELETE")
+			w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Content-Length, Cache-Control")
+			w.Header().Set("Access-Control-Allow-Credentials", "true")
+		}
 		w.Header().Set("Access-Control-Allow-Origin", origin)
-		w.Header().Set("Access-Control-Allow-Methods", "OPTIONS, GET, POST, PUT, PATCH, DELETE")
-		w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Content-Length, Cache-Control")
-		w.Header().Set("Access-Control-Allow-Credentials", "true")
 	}
 
 	// TODO: authentication & authorization, if configured
author	Matthew Holt <mholt@users.noreply.github.com>	2019-12-23 12:46:01 -0700
committer	Matthew Holt <mholt@users.noreply.github.com>	2019-12-23 12:46:01 -0700
commit	16ee985c22c2fcfa2e108dcc7d3e8ce184fd95ed (patch)
tree	b00ca8be80a3b94c442c31dcf6567512e849fa74
parent	95ed603de79c66ff76bfe7e42986a2fc8c7a1fa4 (diff)