From 394c986139de2d75016c465b1280353acae9e615 Mon Sep 17 00:00:00 2001
From: David Lawrence <dkl@mozilla.com>
Date: Tue, 10 Mar 2015 14:42:51 +0000
Subject: Bug 1141440: OPTION response for CORS requests to REST doesn't allow
 X-Bugzilla headers

---
 Bugzilla/WebService/Server/REST.pm | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'Bugzilla/WebService')

diff --git a/Bugzilla/WebService/Server/REST.pm b/Bugzilla/WebService/Server/REST.pm
index 72d94acf6..9ee340ccb 100644
--- a/Bugzilla/WebService/Server/REST.pm
+++ b/Bugzilla/WebService/Server/REST.pm
@@ -141,8 +141,18 @@ sub response {
         { rpc => $self, result => \$result, response => $response });
 
     # Access Control
+    my @allowed_headers = qw(
+        accept
+        content-type
+        origin
+        x-bugzilla-api-key
+        x-bugzilla-login
+        x-bugzilla-password
+        x-bugzilla-token
+        x-requested-with
+    );
     $response->header("Access-Control-Allow-Origin", "*");
-    $response->header("Access-Control-Allow-Headers", "origin, content-type, accept, x-requested-with");
+    $response->header("Access-Control-Allow-Headers", join(', ', @allowed_headers));
 
     # ETag support
     my $etag = $self->bz_etag;
-- 
cgit v1.2.3-24-g4f1b