Adjusting reapply_cors logic to return the first match rather than th…

…e specified origin header
Kinto · Nov 21, 2024 · 77eefbb · 77eefbb
1 parent 8e9f42d
commit 77eefbb
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/kinto/core/utils.py b/kinto/core/utils.py
@@ -262,8 +262,9 @@ def reapply_cors(request, response):
             settings = request.registry.settings
             allowed_origins = set(aslist(settings["cors_origins"]))
             required_origins = {"*", origin}
+            matches = allowed_origins.intersection(required_origins)
             if allowed_origins.intersection(required_origins):
-                response.headers["Access-Control-Allow-Origin"] = origin
+                response.headers["Access-Control-Allow-Origin"] = matches.pop()
 
         # Import service here because kinto.core import utils
         from kinto.core import Service