From e6046f56b32c930db99bf4fc1109f9d4e8813727 Mon Sep 17 00:00:00 2001
From: Jessica McInchak <jessica.mcinchak@gmail.com>
Date: Wed, 17 Jan 2024 10:30:09 +0100
Subject: [PATCH 1/4] disable new CORS rules for OS Proxy endpoint

---
 api.planx.uk/modules/ordnanceSurvey/routes.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/api.planx.uk/modules/ordnanceSurvey/routes.ts b/api.planx.uk/modules/ordnanceSurvey/routes.ts
index b8f5204c94..e55ca05549 100644
--- a/api.planx.uk/modules/ordnanceSurvey/routes.ts
+++ b/api.planx.uk/modules/ordnanceSurvey/routes.ts
@@ -1,8 +1,16 @@
+import cors from "cors";
 import { Router } from "express";
 import { useOrdnanceSurveyProxy } from "./controller";
 
 const router = Router();
 
-router.use("/proxy/ordnance-survey", useOrdnanceSurveyProxy);
+// Because this route already uses MAP_ALLOWLIST, disable global CORS checks so map repo docs and HTML templates are accessible
+const osProxyCORSOptions = {
+  credentials: true,
+  methods: "*",
+};
+
+router.options("/proxy/ordnance-survey", cors(osProxyCORSOptions));
+router.use("/proxy/ordnance-survey", cors(osProxyCORSOptions), useOrdnanceSurveyProxy);
 
 export default router;

From e126a9f24cd64df13162940579e03168cfbcb2ff Mon Sep 17 00:00:00 2001
From: Jessica McInchak <jessica.mcinchak@gmail.com>
Date: Wed, 17 Jan 2024 10:37:42 +0100
Subject: [PATCH 2/4] run prettier

---
 api.planx.uk/modules/ordnanceSurvey/routes.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/api.planx.uk/modules/ordnanceSurvey/routes.ts b/api.planx.uk/modules/ordnanceSurvey/routes.ts
index e55ca05549..7006c7ebff 100644
--- a/api.planx.uk/modules/ordnanceSurvey/routes.ts
+++ b/api.planx.uk/modules/ordnanceSurvey/routes.ts
@@ -11,6 +11,10 @@ const osProxyCORSOptions = {
 };
 
 router.options("/proxy/ordnance-survey", cors(osProxyCORSOptions));
-router.use("/proxy/ordnance-survey", cors(osProxyCORSOptions), useOrdnanceSurveyProxy);
+router.use(
+  "/proxy/ordnance-survey",
+  cors(osProxyCORSOptions),
+  useOrdnanceSurveyProxy,
+);
 
 export default router;

From d93940707cfe4698c5cb49169dea8a481e07114b Mon Sep 17 00:00:00 2001
From: Jessica McInchak <jessica.mcinchak@gmail.com>
Date: Thu, 18 Jan 2024 10:18:53 +0100
Subject: [PATCH 3/4] try adding proxyRes headers too

---
 api.planx.uk/modules/ordnanceSurvey/controller.ts | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/api.planx.uk/modules/ordnanceSurvey/controller.ts b/api.planx.uk/modules/ordnanceSurvey/controller.ts
index d950eb36ab..e09847141c 100644
--- a/api.planx.uk/modules/ordnanceSurvey/controller.ts
+++ b/api.planx.uk/modules/ordnanceSurvey/controller.ts
@@ -1,6 +1,7 @@
 import { useProxy } from "../../shared/middleware/proxy";
 import { NextFunction, Request, Response } from "express";
 import { IncomingMessage } from "http";
+import { request } from "https";
 
 export const OS_DOMAIN = "https://api.os.uk";
 
@@ -28,7 +29,7 @@ export const useOrdnanceSurveyProxy = async (
 
   return useProxy({
     target: OS_DOMAIN,
-    onProxyRes: (proxyRes) => setCORPHeaders(proxyRes),
+    onProxyRes: (proxyRes) => setCORPHeaders(proxyRes, req),
     pathRewrite: (fullPath, req) => appendAPIKey(fullPath, req),
   })(req, res, next);
 };
@@ -36,8 +37,10 @@ export const useOrdnanceSurveyProxy = async (
 const isValid = (req: Request): boolean =>
   MAP_ALLOWLIST.some((re) => re.test(req.headers?.referer as string));
 
-const setCORPHeaders = (proxyRes: IncomingMessage): void => {
+const setCORPHeaders = (proxyRes: IncomingMessage, req: Request): void => {
   proxyRes.headers["Cross-Origin-Resource-Policy"] = "cross-origin";
+  proxyRes.headers["Access-Control-Allow-Origin"] = req.headers.origin;
+  proxyRes.headers["Access-Control-Allow-Headers"] = "Origin, X-Requested-With, Content-Type, Accept";
 };
 
 export const appendAPIKey = (fullPath: string, req: Request): string => {

From 51f4cca740576860533ecf5c1b7642b177c2c6a0 Mon Sep 17 00:00:00 2001
From: Jessica McInchak <jessica.mcinchak@gmail.com>
Date: Thu, 18 Jan 2024 10:25:00 +0100
Subject: [PATCH 4/4] run prettier

---
 api.planx.uk/modules/ordnanceSurvey/controller.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/api.planx.uk/modules/ordnanceSurvey/controller.ts b/api.planx.uk/modules/ordnanceSurvey/controller.ts
index e09847141c..79ebe1515c 100644
--- a/api.planx.uk/modules/ordnanceSurvey/controller.ts
+++ b/api.planx.uk/modules/ordnanceSurvey/controller.ts
@@ -40,7 +40,8 @@ const isValid = (req: Request): boolean =>
 const setCORPHeaders = (proxyRes: IncomingMessage, req: Request): void => {
   proxyRes.headers["Cross-Origin-Resource-Policy"] = "cross-origin";
   proxyRes.headers["Access-Control-Allow-Origin"] = req.headers.origin;
-  proxyRes.headers["Access-Control-Allow-Headers"] = "Origin, X-Requested-With, Content-Type, Accept";
+  proxyRes.headers["Access-Control-Allow-Headers"] =
+    "Origin, X-Requested-With, Content-Type, Accept";
 };
 
 export const appendAPIKey = (fullPath: string, req: Request): string => {