From e9e332b9091555c6b7024b3555a51cb1a060ab7c Mon Sep 17 00:00:00 2001
From: Livio Amstutz <livio.a@gmail.com>
Date: Tue, 26 Apr 2022 16:50:41 +0200
Subject: [PATCH] feat: handle CORS for grpc-web (#3498)

---
 internal/api/api.go | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/internal/api/api.go b/internal/api/api.go
index d267cb0cf2..f45eb9e35c 100644
--- a/internal/api/api.go
+++ b/internal/api/api.go
@@ -98,7 +98,25 @@ func (a *API) routeGRPC() {
 }
 
 func (a *API) routeGRPCWeb(router *mux.Router) {
-	router.NewRoute().HeadersRegexp("Content-Type", "application/grpc-web.*").Handler(grpcweb.WrapServer(a.grpcServer))
+	router.NewRoute().HeadersRegexp("Content-Type", "application/grpc-web.*").Handler(
+		grpcweb.WrapServer(a.grpcServer,
+			grpcweb.WithAllowedRequestHeaders(
+				[]string{
+					http_util.Origin,
+					http_util.ContentType,
+					http_util.Accept,
+					http_util.AcceptLanguage,
+					http_util.Authorization,
+					http_util.ZitadelOrgID,
+					http_util.XUserAgent,
+					http_util.XGrpcWeb,
+				},
+			),
+			grpcweb.WithOriginFunc(func(_ string) bool {
+				return true
+			}),
+		),
+	)
 }
 
 func (a *API) healthHandler() http.Handler {