20647: Fix CORS preflight request handling.

[arvados.git] / services / keep-web / handler.go

diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go
index 27981c487de0f1a8c6373c65fd4504bfe0042491..3cdaf5d2b51c5e2d663fd8e53dc29739ffe76551 100644 (file)
--- a/services/keep-web/handler.go
+++ b/services/keep-web/handler.go
@@ -182,15 +182,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 
        w := httpserver.WrapResponseWriter(wOrig)
 
-       if method := r.Header.Get("Access-Control-Request-Method"); method != "" && r.Method == "OPTIONS" {
-               if !browserMethod[method] && !webdavMethod[method] {
-                       w.WriteHeader(http.StatusMethodNotAllowed)
-                       return
-               }
-               w.Header().Set("Access-Control-Allow-Headers", corsAllowHeadersHeader)
-               w.Header().Set("Access-Control-Allow-Methods", "COPY, DELETE, GET, LOCK, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, PUT, RMCOL, UNLOCK")
-               w.Header().Set("Access-Control-Allow-Origin", "*")
-               w.Header().Set("Access-Control-Max-Age", "86400")
+       if r.Method == "OPTIONS" && ServeCORSPreflight(w, r.Header) {
                return
        }
 
@@ -949,3 +941,19 @@ func (h *handler) determineCollection(fs arvados.CustomFileSystem, path string)
        }
        return nil, ""
 }
+
+func ServeCORSPreflight(w http.ResponseWriter, header http.Header) bool {
+       method := header.Get("Access-Control-Request-Method")
+       if method == "" {
+               return false
+       }
+       if !browserMethod[method] && !webdavMethod[method] {
+               w.WriteHeader(http.StatusMethodNotAllowed)
+               return true
+       }
+       w.Header().Set("Access-Control-Allow-Headers", corsAllowHeadersHeader)
+       w.Header().Set("Access-Control-Allow-Methods", "COPY, DELETE, GET, LOCK, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, PUT, RMCOL, UNLOCK")
+       w.Header().Set("Access-Control-Allow-Origin", "*")
+       w.Header().Set("Access-Control-Max-Age", "86400")
+       return true
+}