From ea7272437db07d73e2eb5e1c6da24a0c509e369b Mon Sep 17 00:00:00 2001
From: codeskyblue <codeskyblue@gmail.com>
Date: Tue, 19 Dec 2023 10:37:39 +0800
Subject: [PATCH] limit cors only get, head, options

---
 .gitignore                   | 1 +
 README.md                    | 2 +-
 main.go                      | 2 +-
 testdata/filetypes/script.js | 1 +
 4 files changed, 4 insertions(+), 2 deletions(-)
 create mode 100644 testdata/filetypes/script.js

diff --git a/.gitignore b/.gitignore
index f88a521..ec435b4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,3 +31,4 @@ assets_vfsdata.go
 *.swp
 
 dist/
+.DS_Store
diff --git a/README.md b/README.md
index b8837b4..e289474 100644
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ Tested with go-1.16
 1. [x] Apple ipa auto generate .plist file, qrcode can be recognized by iphone (Require https)
 1. [x] Plist proxy
 1. [ ] Download count statistics
-1. [x] CORS enabled
+1. [x] CORS enabled (AllowMethods: GET, HEAD, OPTIONS)
 1. [ ] Offline download
 1. [ ] Code file preview
 1. [ ] Edit file support
diff --git a/main.go b/main.go
index 0b5aea4..93d4ef9 100644
--- a/main.go
+++ b/main.go
@@ -207,7 +207,7 @@ func main() {
 
 	// CORS
 	if gcfg.Cors {
-		hdlr = handlers.CORS()(hdlr)
+		hdlr = handlers.CORS(handlers.AllowedMethods([]string{"GET", "HEAD", "OPTIONS"}))(hdlr)
 	}
 	if gcfg.XHeaders {
 		hdlr = handlers.ProxyHeaders(hdlr)
diff --git a/testdata/filetypes/script.js b/testdata/filetypes/script.js
new file mode 100644
index 0000000..414c010
--- /dev/null
+++ b/testdata/filetypes/script.js
@@ -0,0 +1 @@
+document.write("Hello world!")
\ No newline at end of file