From 37b9a73821ab7e89f42ca3359ad7daeda8a2985a Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Mon, 14 Oct 2024 19:29:35 +0200
Subject: [PATCH] Hide Access-Control-Allow-Origin before adding it again.

---
 templates/nginx-cors.conf.j2 | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/templates/nginx-cors.conf.j2 b/templates/nginx-cors.conf.j2
index 5d6192e..cd96e1c 100644
--- a/templates/nginx-cors.conf.j2
+++ b/templates/nginx-cors.conf.j2
@@ -1,8 +1,10 @@
 {% if nginx_cors_extended_rules %}
 if ($request_method = 'OPTIONS') {
 {% if nginx_cors_limit_origin %}
+    proxy_hide_header Access-Control-Allow-Origin;
     add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
 {% else %}
+    proxy_hide_header Access-Control-Allow-Origin;
     add_header 'Access-Control-Allow-Origin' '{{ nginx_access_control_allow_origin_src | default("*") }}';
 {% endif %}
     add_header 'Access-Control-Allow-Credentials' 'true';
@@ -21,8 +23,10 @@ if ($request_method = 'OPTIONS') {
 }
 if ($request_method = 'POST') {
 {% if nginx_cors_limit_origin %}
+    proxy_hide_header Access-Control-Allow-Origin;
     add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
 {% else %}
+    proxy_hide_header Access-Control-Allow-Origin;
     add_header 'Access-Control-Allow-Origin' '{{ nginx_access_control_allow_origin_src | default("*") }}';
 {% endif %}
     add_header 'Access-Control-Allow-Credentials' 'true';
@@ -32,8 +36,10 @@ if ($request_method = 'POST') {
 }
 if ($request_method = 'GET') {
 {% if nginx_cors_limit_origin %}
+    proxy_hide_header Access-Control-Allow-Origin;
     add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
 {% else %}
+    proxy_hide_header Access-Control-Allow-Origin;
     add_header 'Access-Control-Allow-Origin' '{{ nginx_access_control_allow_origin_src | default("*") }}';
 {% endif %}
     add_header 'Access-Control-Allow-Credentials' 'true';
@@ -43,8 +49,10 @@ if ($request_method = 'GET') {
 }
 {% else %}
 {% if nginx_cors_limit_origin %}
+proxy_hide_header Access-Control-Allow-Origin;
 add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
 {% else %}
+proxy_hide_header Access-Control-Allow-Origin;
 add_header 'Access-Control-Allow-Origin' '{{ nginx_access_control_allow_origin_src | default("*") }}';
 {% endif %}
 if ($request_method = OPTIONS ) {