From 2901f54359bba1ccbe2aac52fd9ff255aa6072b7 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Fri, 22 May 2020 17:42:39 +0100
Subject: [PATCH] Fix missing CORS headers on OPTION responses (#7560)

Broke in #7534.
---
 changelog.d/7560.misc  |  1 +
 synapse/http/server.py |  2 +-
 tests/test_server.py   | 28 ++++++++++++++++++++++++++++
 3 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 changelog.d/7560.misc

diff --git a/changelog.d/7560.misc b/changelog.d/7560.misc
new file mode 100644
index 0000000000..9088fb65b8
--- /dev/null
+++ b/changelog.d/7560.misc
@@ -0,0 +1 @@
+All endpoints now respond with a 200 OK for `OPTIONS` requests.
\ No newline at end of file
diff --git a/synapse/http/server.py b/synapse/http/server.py
index 33fcfbea6e..9cc2e2e154 100644
--- a/synapse/http/server.py
+++ b/synapse/http/server.py
@@ -452,7 +452,7 @@ class OptionsResource(resource.Resource):
         code, response_json_object = _options_handler(request)
 
         return respond_with_json(
-            request, code, response_json_object, send_cors=False, canonical_json=False,
+            request, code, response_json_object, send_cors=True, canonical_json=False,
         )
 
     def getChildWithDefault(self, path, request):
diff --git a/tests/test_server.py b/tests/test_server.py
index 437f925bf9..e9a43b1e45 100644
--- a/tests/test_server.py
+++ b/tests/test_server.py
@@ -203,12 +203,40 @@ class OptionsResourceTests(unittest.TestCase):
         self.assertEqual(channel.result["code"], b"200")
         self.assertEqual(channel.result["body"], b"{}")
 
+        # Ensure the correct CORS headers have been added
+        self.assertTrue(
+            channel.headers.hasHeader(b"Access-Control-Allow-Origin"),
+            "has CORS Origin header",
+        )
+        self.assertTrue(
+            channel.headers.hasHeader(b"Access-Control-Allow-Methods"),
+            "has CORS Methods header",
+        )
+        self.assertTrue(
+            channel.headers.hasHeader(b"Access-Control-Allow-Headers"),
+            "has CORS Headers header",
+        )
+
     def test_known_options_request(self):
         """An OPTIONS requests to an known URL still returns 200 OK."""
         channel = self._make_request(b"OPTIONS", b"/res/")
         self.assertEqual(channel.result["code"], b"200")
         self.assertEqual(channel.result["body"], b"{}")
 
+        # Ensure the correct CORS headers have been added
+        self.assertTrue(
+            channel.headers.hasHeader(b"Access-Control-Allow-Origin"),
+            "has CORS Origin header",
+        )
+        self.assertTrue(
+            channel.headers.hasHeader(b"Access-Control-Allow-Methods"),
+            "has CORS Methods header",
+        )
+        self.assertTrue(
+            channel.headers.hasHeader(b"Access-Control-Allow-Headers"),
+            "has CORS Headers header",
+        )
+
     def test_unknown_request(self):
         """A non-OPTIONS request to an unknown URL should 404."""
         channel = self._make_request(b"GET", b"/foo/")
-- 
GitLab