From c193edc3d4ba25da7d3f1b977f2fd79fe1446024 Mon Sep 17 00:00:00 2001
From: Alma Armas <celestine@vriska.ru>
Date: Tue, 29 Sep 2020 13:02:04 -0700
Subject: [PATCH] Correct CORS behaviour for API routes

---
 Web/Presenters/VKAPIPresenter.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/Web/Presenters/VKAPIPresenter.php b/Web/Presenters/VKAPIPresenter.php
index ff417d4d..571549f9 100644
--- a/Web/Presenters/VKAPIPresenter.php
+++ b/Web/Presenters/VKAPIPresenter.php
@@ -63,7 +63,18 @@ final class VKAPIPresenter extends OpenVKPresenter
             if($refOrigin !== false)
                 $origin = $refOrigin;
         }
+        
+        if(!is_null($this->queryParam("requestPort")))
+            $origin .= ":" . ((int) $this->queryParam("requestPort"));
+        
         header("Access-Control-Allow-Origin: $origin");
+        
+        if($_SERVER["REQUEST_METHOD"] === "OPTIONS") {
+            header("Access-Control-Allow-Methods: POST, PUT, DELETE");
+            header("Access-Control-Allow-Headers: " . $_SERVER["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"]);
+            header("Access-Control-Max-Age: -1");
+            exit; # Terminate request processing as this is definitely a CORS preflight request.
+        }
     }
     
     function renderRoute(string $object, string $method): void