From 54a09fce6330b5a3a83fe14f602bb924ebdfb850 Mon Sep 17 00:00:00 2001
From: ejurgensen <espenjurgensen@gmail.com>
Date: Wed, 19 Oct 2016 17:29:22 +0200
Subject: [PATCH] [httpd] Add requirement for Access-Control-Request-Method for
 preflight CORS

---
 src/httpd.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/httpd.c b/src/httpd.c
index dc6d63d1..1567f1e3 100644
--- a/src/httpd.c
+++ b/src/httpd.c
@@ -1053,7 +1053,10 @@ httpd_gen_cb(struct evhttp_request *req, void *arg)
 
   // Did we get a CORS preflight request?
   input_headers = evhttp_request_get_input_headers(req);
-  if (allow_origin && (evhttp_request_get_command(req) == EVHTTP_REQ_OPTIONS) && evhttp_find_header(input_headers, "Origin"))
+  if ( input_headers && allow_origin &&
+       (evhttp_request_get_command(req) == EVHTTP_REQ_OPTIONS) &&
+       evhttp_find_header(input_headers, "Origin") &&
+       evhttp_find_header(input_headers, "Access-Control-Request-Method") )
     {
       output_headers = evhttp_request_get_output_headers(req);