From 84b4cb1fb4ec7d708d6197135442847187d0142d Mon Sep 17 00:00:00 2001
From: Brian Simpson <bsimpson63@gmail.com>
Date: Tue, 21 Apr 2015 15:17:26 -0400
Subject: [PATCH] Send CORS headers with POST_request_promo response.

---
 r2/r2/controllers/api.py | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/r2/r2/controllers/api.py b/r2/r2/controllers/api.py
index c86a7a678..8924594e3 100644
--- a/r2/r2/controllers/api.py
+++ b/r2/r2/controllers/api.py
@@ -23,6 +23,7 @@
 from r2.controllers.reddit_base import (
     cross_domain,
     hsts_modify_redirect,
+    is_trusted_origin,
     MinimalController,
     pagecache_policy,
     PAGECACHE_POLICY,
@@ -4361,9 +4362,24 @@ class ApiController(RedditController):
 
         update_blob(str(code), updates)
 
+    def OPTIONS_request_promo(self):
+        """Send CORS headers for request_promo requests."""
+        if "Origin" in request.headers:
+            origin = request.headers["Origin"]
+            if is_trusted_origin(origin):
+                response.headers["Access-Control-Allow-Origin"] = origin
+
+            response.headers["Access-Control-Allow-Methods"] = "POST"
+            response.headers["Access-Control-Allow-Headers"] = "Authorization, "
+            response.headers["Access-Control-Allow-Credentials"] = "false"
+            response.headers['Access-Control-Expose-Headers'] = \
+                self.COMMON_REDDIT_HEADERS
+
     @csrf_exempt
     @validate(srnames=VPrintable("srnames", max_length=2100))
     def POST_request_promo(self, srnames):
+        self.OPTIONS_request_promo()
+
         if not srnames:
             return