fix CORS headers (#8314)

adameat · web-flow · commit a85ac6f92f8f · 2024-08-27T11:20:27.000+03:00
diff --git a/ydb/core/mon/async_http_mon.cpp b/ydb/core/mon/async_http_mon.cpp
@@ -240,9 +240,9 @@ class THttpMonLegacyActorRequest : public TActorBootstrapped<THttpMonLegacyActor
         response << "HTTP/1.1 204 No Content\r\n"
                     "Access-Control-Allow-Origin: " << origin << "\r\n"
                     "Access-Control-Allow-Credentials: true\r\n"
-                    "Access-Control-Allow-Headers: Content-Type,Authorization,Origin,Accept\r\n"
+                    "Access-Control-Allow-Headers: Content-Type,Authorization,Origin,Accept,X-Trace-Verbosity,X-Want-Trace\r\n"
                     "Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, DELETE\r\n"
-                    "Content-Type: " + type + "\r\n"
+                    "Content-Type: " << type << "\r\n"
                     "Connection: keep-alive\r\n\r\n";
         ReplyWith(request->CreateResponseString(response));
         PassAway();
diff --git a/ydb/core/viewer/viewer.cpp b/ydb/core/viewer/viewer.cpp
@@ -314,36 +314,12 @@ class TViewer : public TActorBootstrapped<TViewer>, public IViewer {
             if (type.empty()) {
                 type = "application/json";
             }
-            if (AllowOrigin) {
-                ctx.Send(ev->Sender, new NMon::TEvHttpInfoRes(
-                    "HTTP/1.1 204 No Content\r\n"
-                    "Access-Control-Allow-Origin: " + AllowOrigin + "\r\n"
-                    "Access-Control-Allow-Credentials: true\r\n"
-                    "Access-Control-Allow-Headers: Content-Type,Authorization,Origin,Accept\r\n"
-                    "Access-Control-Allow-Methods: OPTIONS, GET, POST\r\n"
-                    "Allow: OPTIONS, GET, POST\r\n"
-                    "Content-Type: " + type + "\r\n"
-                    "Connection: Keep-Alive\r\n\r\n", 0, NMon::IEvHttpInfoRes::EContentType::Custom));
-            } else {
-                TString origin = TString(msg->Request.GetHeader("Origin"));
-                if (!origin.empty()) {
-                    ctx.Send(ev->Sender, new NMon::TEvHttpInfoRes(
-                        "HTTP/1.1 204 No Content\r\n"
-                        "Access-Control-Allow-Origin: " + origin + "\r\n"
-                        "Access-Control-Allow-Credentials: true\r\n"
-                        "Access-Control-Allow-Headers: Content-Type,Authorization,Origin,Accept\r\n"
-                        "Access-Control-Allow-Methods: OPTIONS, GET, POST\r\n"
-                        "Allow: OPTIONS, GET, POST\r\n"
-                        "Content-Type: " + type + "\r\n"
-                        "Connection: Keep-Alive\r\n\r\n", 0, NMon::IEvHttpInfoRes::EContentType::Custom));
-                } else {
-                    ctx.Send(ev->Sender, new NMon::TEvHttpInfoRes(
-                        "HTTP/1.1 204 No Content\r\n"
-                        "Allow: OPTIONS, GET, POST\r\n"
-                        "Content-Type: " + type + "\r\n"
-                        "Connection: Keep-Alive\r\n\r\n", 0, NMon::IEvHttpInfoRes::EContentType::Custom));
-                }
-            }
+            TStringBuilder response;
+            response << "HTTP/1.1 204 No Content\r\n";
+            response << GetCORS(msg);
+            response << "Content-Type: " + type + "\r\n"
+                        "Connection: Keep-Alive\r\n\r\n";
+            Send(ev->Sender, new NMon::TEvHttpInfoRes(response, 0, NMon::IEvHttpInfoRes::EContentType::Custom));
             return;
         }
         TString filename(msg->Request.GetPage()->Path + msg->Request.GetPathInfo());
@@ -444,11 +420,15 @@ TString TViewer::GetCORS(const NMon::TEvHttpInfo* request) {
     } else if (request && request->Request.GetHeaders().HasHeader("Origin")) {
         origin = request->Request.GetHeader("Origin");
     }
+    if (origin.empty()) {
+        origin = "*";
+    }
     if (origin) {
         res << "Access-Control-Allow-Origin: " << origin << "\r\n"
             << "Access-Control-Allow-Credentials: true\r\n"
-            << "Access-Control-Allow-Headers: Content-Type,Authorization,Origin,Accept\r\n"
-            << "Access-Control-Allow-Methods: OPTIONS, GET, POST\r\n";
+            << "Access-Control-Allow-Headers: Content-Type,Authorization,Origin,Accept,X-Trace-Verbosity,X-Want-Trace\r\n"
+            << "Access-Control-Allow-Methods: OPTIONS, GET, POST, DELETE\r\n"
+            << "Allow: OPTIONS, GET, POST, DELETE\r\n";
     }
     return res;
 }
