2 files changed, 51 insertions, 1 deletions
diff --git a/python/fatcat_web/__init__.py b/python/fatcat_web/__init__.py
index cd7af195..1ad278ba 100644
--- a/python/fatcat_web/__init__.py
+++ b/python/fatcat_web/__init__.py
@@ -42,7 +42,7 @@ else:
     print("No privileged token found")
     priv_api = None
 
-from fatcat_web import routes, auth
+from fatcat_web import routes, auth, cors
 
 gitlab_bp = create_flask_blueprint(Gitlab, oauth, auth.handle_oauth)
 app.register_blueprint(gitlab_bp, url_prefix='/auth/gitlab')
diff --git a/python/fatcat_web/cors.py b/python/fatcat_web/cors.py
new file mode 100644
index 00000000..2285cf80
--- /dev/null
+++ b/python/fatcat_web/cors.py
@@ -0,0 +1,50 @@
+from datetime import timedelta
+from flask import make_response, request, current_app
+from functools import update_wrapper
+
+"""
+This snippet from: http://flask.pocoo.org/snippets/56/
+"Posted by Armin Ronacher on 2011-07-14"
+"""
+
+
+def crossdomain(origin=None, methods=None, headers=None,
+                max_age=21600, attach_to_all=True,
+                automatic_options=True):
+    if methods is not None:
+        methods = ', '.join(sorted(x.upper() for x in methods))
+    if headers is not None and not isinstance(headers, str):
+        headers = ', '.join(x.upper() for x in headers)
+    if not isinstance(origin, str):
+        origin = ', '.join(origin)
+    if isinstance(max_age, timedelta):
+        max_age = max_age.total_seconds()
+
+    def get_methods():
+        if methods is not None:
+            return methods
+
+        options_resp = current_app.make_default_options_response()
+        return options_resp.headers['allow']
+
+    def decorator(f):
+        def wrapped_function(*args, **kwargs):
+            if automatic_options and request.method == 'OPTIONS':
+                resp = current_app.make_default_options_response()
+            else:
+                resp = make_response(f(*args, **kwargs))
+            if not attach_to_all and request.method != 'OPTIONS':
+                return resp
+
+            h = resp.headers
+
+            h['Access-Control-Allow-Origin'] = origin
+            h['Access-Control-Allow-Methods'] = get_methods()
+            h['Access-Control-Max-Age'] = str(max_age)
+            if headers is not None:
+                h['Access-Control-Allow-Headers'] = headers
+            return resp
+
+        f.provide_automatic_options = False
+        return update_wrapper(wrapped_function, f)
+    return decorator