From 25c4d3f090491252e4d91cd2593243b81e9c2413 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Wed, 16 Jul 2025 19:12:19 +0100
Subject: [PATCH] Don't set Access-Control-Allow-Origin if CGI has done so

---
 cookbooks/tile/templates/default/apache.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cookbooks/tile/templates/default/apache.erb b/cookbooks/tile/templates/default/apache.erb
index 50f6b5a97..7ce4deebc 100644
--- a/cookbooks/tile/templates/default/apache.erb
+++ b/cookbooks/tile/templates/default/apache.erb
@@ -66,7 +66,7 @@
 
   # Always set Access-Control-Allow-Origin so that simple CORS requests
   # will always work and can be cached
-  Header set Access-Control-Allow-Origin "*"
+  Header set Access-Control-Allow-Origin "*" "expr=-z resp('Access-Control-Allow-Origin')"
 
   # Add diagnostics header to identify render server
   Header set X-TileRender "<%= node.name %>"
-- 
2.39.5