From 014ea3eadcb248866eb0ae17bdc2ab9c169e6aad Mon Sep 17 00:00:00 2001
From: Jon Nordby <jononor@gmail.com>
Date: Sat, 7 Jun 2014 14:36:26 +0200
Subject: [PATCH] API: Clarify Access-Control-Request-Header handling

'headers' was a way too generic name, and the code structure implied
it was used in place of 'resp.headers' or 'request.headers', which is not the case.
Also add comment about the purpose of this code.
---
 src/octoprint/server/api/__init__.py | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/src/octoprint/server/api/__init__.py b/src/octoprint/server/api/__init__.py
index ccfa1590..acb821a3 100644
--- a/src/octoprint/server/api/__init__.py
+++ b/src/octoprint/server/api/__init__.py
@@ -37,10 +37,6 @@ def optionsAllowOrigin(request):
 
 	resp = current_app.make_default_options_response()
 
-	headers = None
-	if 'ACCESS_CONTROL_REQUEST_HEADERS' in request.headers:
-		headers = request.headers['ACCESS_CONTROL_REQUEST_HEADERS']
-
 	# Allow the origin which made the XHR
 	resp.headers['Access-Control-Allow-Origin'] = request.headers['Origin']
 	# Allow the actual method
@@ -48,9 +44,11 @@ def optionsAllowOrigin(request):
 	# Allow for 10 seconds
 	resp.headers['Access-Control-Max-Age'] = "10"
 
-	# We also keep current headers
-	if headers is not None:
-		resp.headers['Access-Control-Allow-Headers'] = headers
+	# 'preflight' request contains the non-standard headers the real request will have (like X-Api-Key)
+	customRequestHeaders = request.headers.get('ACCESS_CONTROL_REQUEST_HEADERS', None)
+	if customRequestHeaders is not None:
+		# If present => allow them all
+		resp.headers['Access-Control-Allow-Headers'] = customRequestHeaders
 
 	return resp