From d421e8de422b36f6e5838c3b46a99ab017ea08f0 Mon Sep 17 00:00:00 2001
From: JR Conlin <jr+git@mozilla.com>
Date: Wed, 26 Apr 2023 17:01:48 -0700
Subject: [PATCH] bug: make CORS default less restrictive. (#348)

Fixes: Sync-3608
---
 autoendpoint/src/server.rs | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/autoendpoint/src/server.rs b/autoendpoint/src/server.rs
index ef4905b82..c80a2d88f 100644
--- a/autoendpoint/src/server.rs
+++ b/autoendpoint/src/server.rs
@@ -111,6 +111,17 @@ impl Server {
         };
 
         let server = HttpServer::new(move || {
+            // These have a bad habit of being reset. Specify them explicitly.
+            let cors = Cors::default()
+                .allow_any_origin()
+                .allow_any_header()
+                .allowed_methods(vec![
+                    actix_web::http::Method::DELETE,
+                    actix_web::http::Method::GET,
+                    actix_web::http::Method::POST,
+                    actix_web::http::Method::PUT,
+                ])
+                .max_age(3600);
             App::new()
                 // Actix 4 recommends wrapping structures wtih web::Data (internally an Arc)
                 .app_data(Data::new(app_state.clone()))
@@ -124,7 +135,7 @@ impl Server {
                     metrics.clone(),
                     "api_error".to_owned(),
                 ))
-                .wrap(Cors::default())
+                .wrap(cors)
                 // Endpoints
                 .service(
                     web::resource(["/wpush/{api_version}/{token}", "/wpush/{token}"])