From 8364dab2ea2eea368261675a574084c8860365d4 Mon Sep 17 00:00:00 2001
From: Adnan Abdulhussein <adnan@prydoni.us>
Date: Thu, 29 Jun 2017 15:13:50 +0100
Subject: [PATCH] fix CORS for deployments (#302)

---
 deployment/monocular/values.yaml | 6 ++++--
 docs/config.example.yaml         | 4 ++--
 src/api/config/cors/cors.go      | 4 ++--
 src/api/config/cors/cors_test.go | 4 ++--
 4 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/deployment/monocular/values.yaml b/deployment/monocular/values.yaml
index 8df74f64f..dfc4ef6f6 100644
--- a/deployment/monocular/values.yaml
+++ b/deployment/monocular/values.yaml
@@ -36,9 +36,11 @@ api:
       #  source: my-repository-source
     cors:
       allowed_origins:
-        - my-api-server
+        - ""
+        # e.g. UI served on a different domain
+        # - http://monocular.local
       allowed_headers:
-        - "access-control-allow-headers"
+        - "content-type"
         - "x-xsrf-token"
     # Enable Helm deployment integration
     releasesEnabled: true
diff --git a/docs/config.example.yaml b/docs/config.example.yaml
index 96f2e5f8d..13cc3bcd6 100644
--- a/docs/config.example.yaml
+++ b/docs/config.example.yaml
@@ -15,9 +15,9 @@ repos:
 
 # cors:
 #   allowed_origins:
-#     - my-api-server
+#     - my-ui-hostname
 #   allowed_headers:
-#     - "access-control-allow-headers"
+#     - "content-type"
 #     - "x-xsrf-token"
 
 # Enables Helm deployment integration
diff --git a/src/api/config/cors/cors.go b/src/api/config/cors/cors.go
index d2cd44d2b..c6f4cee83 100644
--- a/src/api/config/cors/cors.go
+++ b/src/api/config/cors/cors.go
@@ -27,8 +27,8 @@ func defaultCors() (Cors, error) {
 	}
 	// Defaults
 	return Cors{
-		AllowedOrigins: []string{"my-api-server"},
-		AllowedHeaders: []string{"access-control-allow-headers", "x-xsrf-token"},
+		AllowedOrigins: []string{""},
+		AllowedHeaders: []string{"content-type", "x-xsrf-token"},
 	}, nil
 }
 
diff --git a/src/api/config/cors/cors_test.go b/src/api/config/cors/cors_test.go
index 2f9876d1d..f49536cec 100644
--- a/src/api/config/cors/cors_test.go
+++ b/src/api/config/cors/cors_test.go
@@ -12,8 +12,8 @@ var configFileOk = filepath.Join("..", "testdata", "config.yaml")
 var configFileNotOk = filepath.Join("..", "testdata", "bogus_config.yaml")
 var configFileNoCors = filepath.Join("..", "testdata", "nocors_config.yaml")
 var defaultExpectedCors = Cors{
-	AllowedOrigins: []string{"my-api-server"},
-	AllowedHeaders: []string{"access-control-allow-headers", "x-xsrf-token"},
+	AllowedOrigins: []string{""},
+	AllowedHeaders: []string{"content-type", "x-xsrf-token"},
 }
 
 func TestConfigFileDoesNotExist(t *testing.T) {