Adding support for preflight request headers

Just as stated in http://www.w3.org/TR/cors/#preflight-request, we must return some extra headers when dealing with preflight (HTTP OPTIONS method) requests.

httpbin/core.py

@@ -44,6 +44,11 @@ sentry = Sentry(app)
 @app.after_request
 def set_cors_headers(response):
     response.headers['Access-Control-Allow-Origin'] = '*'
+    if request.method == 'OPTIONS':
+        response.headers['Access-Control-Allow-Origin'] = '*'
+        response.headers['Access-Control-Allow-Credentials'] = 'true'
+        response.headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE, PATCH, OPTIONS'
+        response.headers['Access-Control-Max-Age'] = str(60 * 60) # 1 hour cache
     return response
 
 

test_httpbin.py

@@ -45,6 +45,16 @@ class HttpbinTestCase(unittest.TestCase):
         response = self.app.get('/get')
         self.assertEquals(response.headers.get('Access-Control-Allow-Origin'), '*')
 
+    def test_set_cors_headers_with_options_verb(self):
+        response = self.app.open('/get', method='OPTIONS')
+        self.assertEquals(response.headers.get('Access-Control-Allow-Origin'), '*')
+        self.assertEquals(response.headers.get('Access-Control-Allow-Credentials'), 'true')
+        self.assertEquals(response.headers.get('Access-Control-Allow-Methods'), 'GET, POST, PUT, DELETE, PATCH, OPTIONS')
+        self.assertEquals(response.headers.get('Access-Control-Max-Age'), '3600')
+        self.assertNotIn('Access-Control-Allow-Headers', response.headers)  # FIXME should we add any extra headers?
+
+
+
 
 if __name__ == '__main__':
     unittest.main()