From 2e023ecc04c4f7d1ad30e535ad2d983df506d066 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Fri, 1 Apr 2022 22:57:21 +0100
Subject: [PATCH] actix: Fix CORS

The docs aren't entirely clear but suggest that the default allowed
origins is All.  But dbg! output seems to contradict this.  And we
should support more headers, and say that we don't vary our CORS at
all.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
 daemon/main.rs | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/daemon/main.rs b/daemon/main.rs
index 6e2a9573..d6d62467 100644
--- a/daemon/main.rs
+++ b/daemon/main.rs
@@ -280,9 +280,10 @@ impl<'r> FromFormValue<'r> for BundleToken {
 */
 
 fn updates_cors() -> Cors {
-
   Cors::default()
-      .allowed_methods([Method::GET])
+    .allow_any_origin()
+    .allowed_methods([Method::GET, Method::OPTIONS, Method::HEAD])
+    .disable_vary_header()
 }
 
 #[derive(Debug, Deserialize)]
-- 
2.30.2