From e19674290244a514999fa6d5400d22e9601f7732 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Thu, 17 Jul 2025 21:35:37 +0100
Subject: [PATCH] Avoid accessing form data for OPTIONS requests

---
 cookbooks/tile/templates/default/export.erb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/cookbooks/tile/templates/default/export.erb b/cookbooks/tile/templates/default/export.erb
index 573a222b4..dd05816ed 100644
--- a/cookbooks/tile/templates/default/export.erb
+++ b/cookbooks/tile/templates/default/export.erb
@@ -179,8 +179,10 @@ if 'HTTP_REFERER' not in os.environ:
 # Look for TOTP token
 if '_osm_totp_token' in cookies:
   token = cookies['_osm_totp_token'].value
-else:
+elif os.environ['REQUEST_METHOD'] != 'OPTIONS':
   token = form.getfirst("token")
+else:
+  token = None
 
 # Get the load average
 cputimes = [float(n) for n in open("/proc/stat").readline().rstrip().split()[1:-1]]
-- 
2.39.5