From d58a99ae335effdb687c43173dc02b7d3049c5af Mon Sep 17 00:00:00 2001
From: Dominik George <nik@velocitux.com>
Date: Thu, 28 Apr 2022 23:41:39 +0200
Subject: [PATCH] Send Origin back as Access-Control-Allow-Origin

Rationale: At this point, we have already verified that the Origin is
allowed. Some clients, e.g. those that submit a form using AJAX, will
expect a CORS header allowing the request. Instead of setting
Access-Control-Allow-Origin *, or setting the header to all allowed
origins (thus leaking a list of sites that use the gateway), we can
thus simply set the same Origin the browser identifies with.
---
 sendmail.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sendmail.go b/sendmail.go
index f66401f..1d51962 100644
--- a/sendmail.go
+++ b/sendmail.go
@@ -176,6 +176,9 @@ func MuxSecAllowedDomainsHandler(next http.Handler) http.Handler {
 			return
 		}
 
+		// Send the allowed origin back as CORS header
+		w.Header().Set("Access-Control-Allow-Origin", r.Header["Origin"][0])
+
 		next.ServeHTTP(w, r)
 	})
 }