From 09693d8fc6cc05aa47efd2626dd6d4453ca9d3f2 Mon Sep 17 00:00:00 2001
From: Tom Ballinger <tom@convex.dev>
Date: Fri, 27 Dec 2024 18:39:51 -0800
Subject: [PATCH] Allow more headers in CORS policies (#32637)

GitOrigin-RevId: a008a79455d0c85bc909892952ff0417c7527d09
---
 crates/common/src/http/mod.rs      | 10 +++++++---
 crates/local_backend/src/router.rs | 16 +++++++++++++++-
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/crates/common/src/http/mod.rs b/crates/common/src/http/mod.rs
index 91494781..e2c69466 100644
--- a/crates/common/src/http/mod.rs
+++ b/crates/common/src/http/mod.rs
@@ -57,6 +57,7 @@ use http::{
         HeaderName,
         HeaderValue,
         ACCEPT,
+        ACCEPT_LANGUAGE,
         AUTHORIZATION,
         CONTENT_TYPE,
         REFERER,
@@ -1139,12 +1140,15 @@ impl<T: fmt::Display> fmt::Display for LogOptFmt<T> {
 pub fn cli_cors() -> CorsLayer {
     CorsLayer::new()
         .allow_headers(vec![
-            CONTENT_TYPE,
-            AUTHORIZATION,
+            "baggage".parse().unwrap(),
+            "sentry-trace".parse().unwrap(),
             ACCEPT,
+            ACCEPT_LANGUAGE,
+            AUTHORIZATION,
+            CONTENT_TYPE,
+            CONVEX_CLIENT_HEADER,
             REFERER,
             USER_AGENT,
-            CONVEX_CLIENT_HEADER,
         ])
         .allow_credentials(true)
         .allow_methods(vec![
diff --git a/crates/local_backend/src/router.rs b/crates/local_backend/src/router.rs
index 39613abd..d6f5b720 100644
--- a/crates/local_backend/src/router.rs
+++ b/crates/local_backend/src/router.rs
@@ -30,8 +30,12 @@ use common::{
 };
 use http::{
     header::{
+        ACCEPT,
+        ACCEPT_LANGUAGE,
         AUTHORIZATION,
         CONTENT_TYPE,
+        REFERER,
+        USER_AGENT,
     },
     request,
     HeaderValue,
@@ -341,7 +345,17 @@ where
 
 pub fn cors() -> CorsLayer {
     CorsLayer::new()
-        .allow_headers(vec![CONTENT_TYPE, "sentry-trace".parse().unwrap(), "baggage".parse().unwrap(), CONVEX_CLIENT_HEADER, AUTHORIZATION])
+        .allow_headers(vec![
+           "baggage".parse().unwrap(),
+           "sentry-trace".parse().unwrap(),
+           ACCEPT,
+           ACCEPT_LANGUAGE,
+           AUTHORIZATION,
+           CONTENT_TYPE,
+           CONVEX_CLIENT_HEADER,
+           REFERER,
+           USER_AGENT,
+        ])
         .allow_credentials(true)
         .allow_methods(vec![
             Method::GET,