From 28481fb0bc97d188571610bb28aacc98d990b574 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Wed, 16 Jul 2025 19:26:00 +0100
Subject: [PATCH] Allow some rails headers in CORS preflight

---
 cookbooks/tile/templates/default/export.erb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cookbooks/tile/templates/default/export.erb b/cookbooks/tile/templates/default/export.erb
index a0f8ff571..4466524e2 100644
--- a/cookbooks/tile/templates/default/export.erb
+++ b/cookbooks/tile/templates/default/export.erb
@@ -191,6 +191,7 @@ if os.environ['REQUEST_METHOD'] == 'OPTIONS':
   # Handle CORS preflight checks
   print('Status: 204 No Content')
   print('Access-Control-Allow-Origin: %s' % os.environ['HTTP_ORIGIN'])
+  print('Access-Control-Allow-Headers: X-CSRF-Token, X-Turbo-Request-Id')
   print('Access-Control-Allow-Credentials: true')
   print('')
 elif not totp.verify(token, valid_window = 1):
-- 
2.39.5