From 95389e8df829f6f053a27c8cd0c694d8a0e8d3f6 Mon Sep 17 00:00:00 2001
From: Ambre Bertucci <ambre@akarys.me>
Date: Wed, 15 Feb 2023 17:42:22 +0000
Subject: [PATCH] feat(api): allow custom user-agents in cors headers (#520)

Firefox's (correct) CORS implementation considers `User-Agent` as a forbidden header and requires the server to explicitly opt into custom UAs by allowing this header in `Access-Control-Allow-Headers`.

This commit enables CSR apps to correctly communicate which tools they are part of.
---
 services/web-proxy/main.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/web-proxy/main.go b/services/web-proxy/main.go
index 92328c57..6135a52f 100644
--- a/services/web-proxy/main.go
+++ b/services/web-proxy/main.go
@@ -67,7 +67,7 @@ func (p ProxyHandler) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
 		rw.Header().Add("Access-Control-Allow-Origin", "*")
 		rw.Header().Add("Access-Control-Allow-Methods", "*")
 		rw.Header().Add("Access-Control-Allow-Credentials", "true")
-		rw.Header().Add("Access-Control-Allow-Headers", "Content-Type, Authorization, sentry-trace")
+		rw.Header().Add("Access-Control-Allow-Headers", "Content-Type, Authorization, sentry-trace, User-Agent")
 		rw.Header().Add("Access-Control-Max-Age", "86400")
 
 		if r.Method == http.MethodOptions {