From 5fba5025168aac0c9aa5dd767e51e0ee264ebbe5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alen=20=C5=A0iljak?= <dev@alensiljak.eu.org>
Date: Wed, 22 Nov 2023 13:23:34 +0100
Subject: [PATCH] http: enable methods used with WebDAV - fixes #7444

Without this, requests like PROPFIND, issued from a browser, fail.
---
 lib/http/middleware.go      | 2 +-
 lib/http/middleware_test.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/http/middleware.go b/lib/http/middleware.go
index e7e4582b3..3ee5c0cdc 100644
--- a/lib/http/middleware.go
+++ b/lib/http/middleware.go
@@ -183,8 +183,8 @@ func MiddlewareCORS(allowOrigin string) Middleware {
 
 			if allowOrigin != "" {
 				w.Header().Add("Access-Control-Allow-Origin", allowOrigin)
-				w.Header().Add("Access-Control-Request-Method", "POST, OPTIONS, GET, HEAD")
 				w.Header().Add("Access-Control-Allow-Headers", "authorization, Content-Type")
+				w.Header().Add("Access-Control-Allow-Methods", "COPY, DELETE, GET, HEAD, LOCK, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, PUT, TRACE, UNLOCK")
 			}
 
 			next.ServeHTTP(w, r)
diff --git a/lib/http/middleware_test.go b/lib/http/middleware_test.go
index 283848f94..15d0b0525 100644
--- a/lib/http/middleware_test.go
+++ b/lib/http/middleware_test.go
@@ -323,8 +323,8 @@ func TestMiddlewareAuthCertificateUser(t *testing.T) {
 
 var _testCORSHeaderKeys = []string{
 	"Access-Control-Allow-Origin",
-	"Access-Control-Request-Method",
 	"Access-Control-Allow-Headers",
+	"Access-Control-Allow-Methods",
 }
 
 func TestMiddlewareCORS(t *testing.T) {