From e31390750471a82b20816eedf5ef7c0a73034871 Mon Sep 17 00:00:00 2001
From: cytopia <cytopia@everythingcli.org>
Date: Sat, 31 Dec 2022 07:41:18 +0100
Subject: [PATCH] Streamline cors headers

---
 bin/vhost-gen              | 4 ++--
 etc/templates/apache22.yml | 9 ++++++---
 etc/templates/apache24.yml | 9 ++++++---
 etc/templates/nginx.yml    | 9 +++++----
 setup.py                   | 2 +-
 5 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/bin/vhost-gen b/bin/vhost-gen
index e2de7da..d28f5b5 100755
--- a/bin/vhost-gen
+++ b/bin/vhost-gen
@@ -29,8 +29,8 @@ if os.environ.get("MYPY_CHECK", False):
 # --------------------------------------------------------------------------------------------------
 APPNAME = "vhost-gen"
 APPREPO = "https://github.com/devilbox/vhost-gen"
-VERSION = "1.0.9"
-RELDATE = "2022-12-27"
+VERSION = "1.0.10"
+RELDATE = "2022-12-31"
 
 # Default paths
 CONFIG_PATH = "/etc/vhost-gen/conf.yml"
diff --git a/etc/templates/apache22.yml b/etc/templates/apache22.yml
index 2ed7c9a..ca65395 100644
--- a/etc/templates/apache22.yml
+++ b/etc/templates/apache22.yml
@@ -181,13 +181,16 @@ features:
         Allow from all
     </Location>
 
+  # https://stackoverflow.com/a/42558499
+  # https://fetch.spec.whatwg.org/#forbidden-header-name
   xdomain_request: |
     # Allow cross domain request from these hosts
     SetEnvIf Origin "__REGEX__" AccessControlAllowOrigin=$0
-    Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
-    Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
+    Header always set Access-Control-Allow-Origin   %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
+    Header always set Access-Control-Allow-Methods  "HEAD, GET, POST, PUT, PATCH, DELETE, OPTIONS"
+    Header always set Access-Control-Allow-Headers  "Accept, Authorization, Content-Security-Policy, Content-Type, Location, Origin, X-Requested-With"
+    Header always set Access-Control-Expose-Headers "Content-Security-Policy, Location"
     Header always set Access-Control-Max-Age "0"
-    Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
     # Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request.
     RewriteEngine On
     RewriteCond %{REQUEST_METHOD} OPTIONS
diff --git a/etc/templates/apache24.yml b/etc/templates/apache24.yml
index 5287dfb..c58eacf 100644
--- a/etc/templates/apache24.yml
+++ b/etc/templates/apache24.yml
@@ -206,13 +206,16 @@ features:
         Require all granted
     </Location>
 
+  # https://stackoverflow.com/a/42558499
+  # https://fetch.spec.whatwg.org/#forbidden-header-name
   xdomain_request: |
     # Allow cross domain request from these hosts
     SetEnvIf Origin "__REGEX__" AccessControlAllowOrigin=$0
-    Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
-    Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
+    Header always set Access-Control-Allow-Origin   %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
+    Header always set Access-Control-Allow-Methods  "HEAD, GET, POST, PUT, PATCH, DELETE, OPTIONS"
+    Header always set Access-Control-Allow-Headers  "Accept, Authorization, Content-Security-Policy, Content-Type, Location, Origin, X-Requested-With"
+    Header always set Access-Control-Expose-Headers "Content-Security-Policy, Location"
     Header always set Access-Control-Max-Age "0"
-    Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
     # Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request.
     RewriteEngine On
     RewriteCond %{REQUEST_METHOD} OPTIONS
diff --git a/etc/templates/nginx.yml b/etc/templates/nginx.yml
index 555864d..5d0de86 100644
--- a/etc/templates/nginx.yml
+++ b/etc/templates/nginx.yml
@@ -166,11 +166,12 @@ features:
 
   xdomain_request: |
     # Allow cross domain request from these hosts
+    # https://fetch.spec.whatwg.org/#forbidden-header-name
     if ( $http_origin ~* (__REGEX__) ) {
-        add_header "Access-Control-Allow-Origin" "$http_origin";
-        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
-        add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
+        add_header "Access-Control-Allow-Origin"   "$http_origin";
+        add_header 'Access-Control-Allow-Methods'  'HEAD, GET, POST, PUT, PATCH, DELETE, OPTIONS';
+        add_header 'Access-Control-Allow-Headers'  'Accept, Authorization, Content-Security-Policy, Content-Type, Location, Origin, X-Requested-With';
+        add_header 'Access-Control-Expose-Headers' 'Content-Security-Policy, Location';
         add_header 'Access-Control-Max-Age' 0;
         return 200;
     }
diff --git a/setup.py b/setup.py
index f454567..28e55f5 100644
--- a/setup.py
+++ b/setup.py
@@ -6,7 +6,7 @@
 
 setup(
     name="vhost-gen",
-    version="1.0.9",
+    version="1.0.10",
     description="Configurable vHost generator for Apache 2.2, Apache 2.4 and Nginx.",
     license="MIT",
     long_description=long_description,