From 16ee985c22c2fcfa2e108dcc7d3e8ce184fd95ed Mon Sep 17 00:00:00 2001
From: Matthew Holt <mholt@users.noreply.github.com>
Date: Mon, 23 Dec 2019 12:46:01 -0700
Subject: admin: Only write most CORS headers in OPTIONS requests

---
 admin.go | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'admin.go')

diff --git a/admin.go b/admin.go
index 89c007d..bf11985 100644
--- a/admin.go
+++ b/admin.go
@@ -50,7 +50,7 @@ type AdminConfig struct {
 
 	// The address to which the admin endpoint's listener should
 	// bind itself. Can be any single network address that can be
-	// parsed by Caddy.
+	// parsed by Caddy. Default: localhost:2019
 	Listen string `json:"listen,omitempty"`
 
 	// If true, CORS headers will be emitted, and requests to the
@@ -282,10 +282,12 @@ func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
+		if r.Method == http.MethodOptions {
+			w.Header().Set("Access-Control-Allow-Methods", "OPTIONS, GET, POST, PUT, PATCH, DELETE")
+			w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Content-Length, Cache-Control")
+			w.Header().Set("Access-Control-Allow-Credentials", "true")
+		}
 		w.Header().Set("Access-Control-Allow-Origin", origin)
-		w.Header().Set("Access-Control-Allow-Methods", "OPTIONS, GET, POST, PUT, PATCH, DELETE")
-		w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Content-Length, Cache-Control")
-		w.Header().Set("Access-Control-Allow-Credentials", "true")
 	}
 
 	// TODO: authentication & authorization, if configured
-- 
cgit v1.2.3