From 2f183b3d50c01ee1325b02b8c2099cc8ef3db7de Mon Sep 17 00:00:00 2001
From: Wil Wilsman <wil@wilwilsman.com>
Date: Fri, 9 Oct 2020 14:30:49 -0500
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20Add=20cors=20allowed=20headers?=
 =?UTF-8?q?=20header?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 packages/core/src/server.js       |  6 +++++-
 packages/core/test/server.test.js | 15 +++++++++++++--
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/packages/core/src/server.js b/packages/core/src/server.js
index ac8f238c5..780a60cc3 100644
--- a/packages/core/src/server.js
+++ b/packages/core/src/server.js
@@ -7,7 +7,11 @@ async function getReply(routes, request) {
 
   // cors preflight
   if (request.method === 'OPTIONS') {
-    reply = [204, { 'Access-Control-Allow-Methods': 'GET,POST' }];
+    reply = [204, {}];
+    reply[1]['Access-Control-Allow-Methods'] = 'GET,POST,OPTIONS';
+    reply[1]['Access-Control-Request-Headers'] = 'Vary';
+    let allowed = request.headers['access-control-request-headers'];
+    if (allowed?.length) reply[1]['Access-Control-Allow-Headers'] = allowed;
   } else {
     reply = await Promise.resolve()
       .then(() => routes.middleware?.(request))
diff --git a/packages/core/test/server.test.js b/packages/core/test/server.test.js
index 2de9717b8..857380168 100644
--- a/packages/core/test/server.test.js
+++ b/packages/core/test/server.test.js
@@ -123,17 +123,28 @@ describe('Snapshot Server', () => {
 
   it('accepts preflight cors checks', async () => {
     let called = false;
+    let response;
 
     await percy.start();
     percy.snapshot = async () => (called = true);
 
-    let response = await fetch('http://localhost:1337/percy/snapshot', {
+    response = await fetch('http://localhost:1337/percy/snapshot', {
       method: 'OPTIONS'
     });
 
     expect(response.status).toBe(204);
     expect(response.headers.get('Access-Control-Allow-Origin')).toBe('*');
-    expect(response.headers.get('Access-Control-Allow-Methods')).toBe('GET,POST');
+    expect(response.headers.get('Access-Control-Allow-Methods')).toBe('GET,POST,OPTIONS');
+    expect(response.headers.get('Access-Control-Request-Headers')).toBe('Vary');
+    expect(called).toBe(false);
+
+    response = await fetch('http://localhost:1337/percy/snapshot', {
+      headers: { 'Access-Control-Request-Headers': 'Content-Type' },
+      method: 'OPTIONS'
+    });
+
+    expect(response.status).toBe(204);
+    expect(response.headers.get('Access-Control-Allow-Headers')).toBe('Content-Type');
     expect(called).toBe(false);
   });