Implement CORS headers.

In modern world, OPTIONS request is used primarily as a "pre-flight" request for CORS headers.
https://stackoverflow.com/questions/29954037/why-is-an-options-request-sent-and-can-i-disable-it

Author: Hexawolf

config.go

@@ -47,6 +47,9 @@ type Config struct {
 	// Overridden by X-HTTPS-Downstream header.
 	HTTPSDownstream bool `yaml:"https_downstream"`
 
+	// AllowedOrigins specifies Access-Control-Allow-Origin header.
+	AllowedOrigins string `yaml:"allowed_origins"`
+
 	// Internal, used only for testing. Always 60 secs in production.
 	CleanupIntervalSecs int `yaml:"-"`
 }

filedropd/filedropd.example.yml

@@ -35,3 +35,6 @@ storage_dir: /var/lib/filedrop
 # Specifies whether filedrop should return links with https scheme or not.
 # Overridden by X-HTTPS-Downstream header.
 https_downstream: true
+
+# Specifies Access-Control-Allow-Origin header.
+allowed_origins: "*"

server.go

@@ -349,14 +349,17 @@ func (s *Server) serveFile(w http.ResponseWriter, r *http.Request) {
 // Note that filedrop code is URL prefix-agnostic, so request URI doesn't
 // matters much.
 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Access-Control-Allowed-Origin", s.Conf.AllowedOrigins)
 	if r.Method == http.MethodPost {
 		s.acceptFile(w, r)
 	} else if
 		r.Method == http.MethodGet ||
-		r.Method == http.MethodHead ||
-		r.Method == http.MethodOptions {
+		r.Method == http.MethodHead {
 
 		s.serveFile(w, r)
+	} else if r.Method == http.MethodOptions {
+		w.Header().Set("Access-Control-Allow-Methods", "HEAD, GET, POST, DELETE")
+		w.WriteHeader(http.StatusNoContent)
 	} else {
 		w.WriteHeader(http.StatusMethodNotAllowed)
 		w.Write([]byte("405 method not allowed"))