From 57cfa7ea06575f996dcff8da72996276aa6f7528 Mon Sep 17 00:00:00 2001
From: "francesco.mangiacrapa" <francesco.mangiacrapa@isti.cnr.it>
Date: Tue, 17 Dec 2024 12:20:56 +0100
Subject: [PATCH] Added `always` property to sent headers also on http errors
 returned (e.g. 4xx or 5xx). See #28488#note-21

---
 defaults/main.yml            | 2 +-
 templates/nginx-cors.conf.j2 | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 6313fd0..b528949 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -91,7 +91,7 @@ nginx_client_body_timeout: 240s
 
 nginx_cors_enabled: false
 nginx_cors_global: true
-nginx_cors_limit_origin: true
+nginx_cors_limit_origin: false
 nginx_cors_extended_rules: false
 nginx_cors_acl_origin: 'http?://(localhost)'
 nginx_access_control_allow_origin_src: "*"
diff --git a/templates/nginx-cors.conf.j2 b/templates/nginx-cors.conf.j2
index aac2ca8..d4bb229 100644
--- a/templates/nginx-cors.conf.j2
+++ b/templates/nginx-cors.conf.j2
@@ -61,8 +61,8 @@ if ($request_method = OPTIONS ) {
 {% if nginx_cors_limit_origin %}
 add_header 'Access-Control-Allow-Credentials' 'true';
 {% endif %}
-add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
-add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}';
-add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}';
+add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}' always;
+add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}' always;
+add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}' always;
 {% endif %}