From 9f5bc87d0f68c0b0da96a07828bafded9084e062 Mon Sep 17 00:00:00 2001
From: GoEdgeLab <goedgecloud@gmail.com>
Date: Fri, 19 May 2023 16:34:41 +0800
Subject: [PATCH] =?UTF-8?q?HTTP=20Header=20-=20CORS=E8=B7=A8=E5=9F=9F?=
 =?UTF-8?q?=E8=AE=BE=E7=BD=AE=E5=A2=9E=E5=8A=A0=E5=A4=9A=E4=B8=AA=E9=80=89?=
 =?UTF-8?q?=E9=A1=B9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 internal/nodes/http_request.go | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/internal/nodes/http_request.go b/internal/nodes/http_request.go
index f52075a..584d284 100644
--- a/internal/nodes/http_request.go
+++ b/internal/nodes/http_request.go
@@ -1728,7 +1728,7 @@ func (this *HTTPRequest) processResponseHeaders(responseHeader http.Header, stat
 		}
 
 		// CORS
-		if this.web.ResponseHeaderPolicy.CORS != nil && this.web.ResponseHeaderPolicy.CORS.IsOn {
+		if this.web.ResponseHeaderPolicy.CORS != nil && this.web.ResponseHeaderPolicy.CORS.IsOn && (!this.web.ResponseHeaderPolicy.CORS.OptionsMethodOnly || this.RawReq.Method == http.MethodOptions) {
 			var corsConfig = this.web.ResponseHeaderPolicy.CORS
 
 			// Allow-Origin
@@ -1753,6 +1753,16 @@ func (this *HTTPRequest) processResponseHeaders(responseHeader http.Header, stat
 				responseHeader.Set("Access-Control-Max-Age", types.String(corsConfig.MaxAge))
 			}
 
+			// Expose-Headers
+			if len(corsConfig.ExposeHeaders) > 0 {
+				responseHeader.Set("Access-Control-Expose-Headers", strings.Join(corsConfig.ExposeHeaders, ", "))
+			}
+
+			// Request-Method
+			if len(corsConfig.RequestMethod) > 0 {
+				responseHeader.Set("Access-Control-Request-Method", strings.ToUpper(corsConfig.RequestMethod))
+			}
+
 			// Allow-Credentials
 			responseHeader.Set("Access-Control-Allow-Credentials", "true")
 		}