From f2158e32c80d9a34aa4ba57e217e5664fca1e985 Mon Sep 17 00:00:00 2001 From: Olivier Dony Date: Mon, 31 Oct 2016 01:43:47 +0100 Subject: [PATCH] [FIX] http: permit debug mode on CORS-enabled routes As of f814dd9908355465dd03735f4589dd1697b3658a, debug mode causes an extra X-Debug-Mode header to be sent by the rpc() JS method. This custom header was not whitelisted in the accepted CORS headers, therefore any cross-origin call to a route with `cors=True` would fail in debug mode, with a console error along those lines: "Request header field X-Debug-Mode is not allowed by Access-Control-Allow-Headers in preflight response" This would prevent loading the POS GUI in debug mode, for example. This commit is necessary in the 8.0 branch because the POSBox is currently based on a 8.0 server and may be accessed by a 9.0 POS or later, thus with the extra header. --- openerp/http.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openerp/http.py b/openerp/http.py index 994a396ffa7..4900e140ce0 100644 --- a/openerp/http.py +++ b/openerp/http.py @@ -684,7 +684,7 @@ class HttpRequest(WebRequest): if request.httprequest.method == 'OPTIONS' and request.endpoint and request.endpoint.routing.get('cors'): headers = { 'Access-Control-Max-Age': 60 * 60 * 24, - 'Access-Control-Allow-Headers': 'Origin, X-Requested-With, Content-Type, Accept' + 'Access-Control-Allow-Headers': 'Origin, X-Requested-With, Content-Type, Accept, X-Debug-Mode' } return Response(status=200, headers=headers)