fix CORS headers (ydb-platform#8303)

adameat · adameat · commit 9e878a2751ac · 2024-10-03T05:36:34.000Z
diff --git a/ydb/core/viewer/viewer.cpp b/ydb/core/viewer/viewer.cpp
@@ -475,36 +475,12 @@ class TViewer : public TActorBootstrapped<TViewer>, public IViewer {
             if (type.empty()) {
                 type = "application/json";
             }
-            if (AllowOrigin) {
-                ctx.Send(ev->Sender, new NMon::TEvHttpInfoRes(
-                    "HTTP/1.1 204 No Content\r\n"
-                    "Access-Control-Allow-Origin: " + AllowOrigin + "\r\n"
-                    "Access-Control-Allow-Credentials: true\r\n"
-                    "Access-Control-Allow-Headers: Content-Type,Authorization,Origin,Accept,X-Trace-Verbosity,X-Want-Trace\r\n"
-                    "Access-Control-Allow-Methods: OPTIONS, GET, POST\r\n"
-                    "Allow: OPTIONS, GET, POST\r\n"
-                    "Content-Type: " + type + "\r\n"
-                    "Connection: Keep-Alive\r\n\r\n", 0, NMon::IEvHttpInfoRes::EContentType::Custom));
-            } else {
-                TString origin = TString(msg->Request.GetHeader("Origin"));
-                if (!origin.empty()) {
-                    ctx.Send(ev->Sender, new NMon::TEvHttpInfoRes(
-                        "HTTP/1.1 204 No Content\r\n"
-                        "Access-Control-Allow-Origin: " + origin + "\r\n"
-                        "Access-Control-Allow-Credentials: true\r\n"
-                        "Access-Control-Allow-Headers: Content-Type,Authorization,Origin,Accept,X-Trace-Verbosity,X-Want-Trace\r\n"
-                        "Access-Control-Allow-Methods: OPTIONS, GET, POST\r\n"
-                        "Allow: OPTIONS, GET, POST\r\n"
-                        "Content-Type: " + type + "\r\n"
-                        "Connection: Keep-Alive\r\n\r\n", 0, NMon::IEvHttpInfoRes::EContentType::Custom));
-                } else {
-                    ctx.Send(ev->Sender, new NMon::TEvHttpInfoRes(
-                        "HTTP/1.1 204 No Content\r\n"
-                        "Allow: OPTIONS, GET, POST\r\n"
-                        "Content-Type: " + type + "\r\n"
-                        "Connection: Keep-Alive\r\n\r\n", 0, NMon::IEvHttpInfoRes::EContentType::Custom));
-                }
-            }
+            TStringBuilder response;
+            response << "HTTP/1.1 204 No Content\r\n";
+            FillCORS(response, msg);
+            response << "Content-Type: " + type + "\r\n"
+                        "Connection: Keep-Alive\r\n\r\n";
+            Send(ev->Sender, new NMon::TEvHttpInfoRes(response, 0, NMon::IEvHttpInfoRes::EContentType::Custom));
             return;
         }
         TString path("/" + msg->Request.GetPage()->Path + msg->Request.GetPathInfo());
@@ -615,7 +591,8 @@ void TViewer::FillCORS(TStringBuilder& stream, const TRequestState& request) {
         stream << "Access-Control-Allow-Origin: " << origin << "\r\n"
                << "Access-Control-Allow-Credentials: true\r\n"
                << "Access-Control-Allow-Headers: Content-Type,Authorization,Origin,Accept,X-Trace-Verbosity,X-Want-Trace\r\n"
-               << "Access-Control-Allow-Methods: OPTIONS, GET, POST\r\n";
+               << "Access-Control-Allow-Methods: OPTIONS, GET, POST, DELETE\r\n"
+               << "Allow: OPTIONS, GET, POST, DELETE\r\n";
     }
 }
 
