Attempt CORS fixes.

src/EEPROMContext.php

@@ -36,7 +36,7 @@ class EEPROMContext {
     }
 
     public function createRouting(bool $isApiDomain): RoutingContext {
-        $routingCtx = new RoutingContext;
+        $routingCtx = new RoutingContext($this->config->scopeTo('cors'));
         $routingCtx->register($this->database);
 
         $routingCtx->register($uploadsViewsRoutes = new Uploads\UploadsViewRoutes(

src/RoutingContext.php

@@ -8,7 +8,7 @@ use Index\Http\Routing\{HttpRouter,Router,RouteHandler};
 class RoutingContext {
     private HttpRouter $router;
 
-    public function __construct() {
+    public function __construct(private Config $config) {
         $this->router = new HttpRouter(
             errorHandler: new EEPROMErrorHandler,
         );
@@ -17,6 +17,22 @@ class RoutingContext {
 
     private function middleware($response, $request) {
         $response->setPoweredBy('EEPROM');
+
+        if($request->hasHeader('Origin')) {
+            $origin = $request->getHeaderLine('Origin');
+            $response->setHeader('Access-Control-Allow-Origin', $origin);
+            $response->setHeader('Vary', 'Origin');
+            $host = parse_url($origin, PHP_URL_HOST);
+            if(is_string($host)) {
+                $host = '.' . $host;
+                $allowCookieOrigins = $this->config->getArray('origins');
+                foreach($allowCookieOrigins as $allowCookieOrigin)
+                    if(str_ends_with($host, '.' . $allowCookieOrigin)) {
+                        $response->setHeader('Access-Control-Allow-Credentials', 'true');
+                        break;
+                    }
+            }
+        } else
             $response->setHeader('Access-Control-Allow-Origin', '*');
     }
 

src/Uploads/UploadsLegacyRoutes.php

@@ -22,9 +22,6 @@ class UploadsLegacyRoutes implements RouteHandler {
 
     #[HttpOptions('/uploads')]
     public function optionsUpload($response, $request): int {
-        if($request->hasHeader('Origin'))
-            $response->setHeader('Access-Control-Allow-Credentials', 'true');
-
         $response->setHeader('Access-Control-Allow-Headers', 'Authorization');
         $response->setHeader('Access-Control-Allow-Methods', 'POST');
 
@@ -33,9 +30,6 @@ class UploadsLegacyRoutes implements RouteHandler {
 
     #[HttpPost('/uploads')]
     public function postUpload($response, $request) {
-        if($request->hasHeader('Origin'))
-            $response->setHeader('Access-Control-Allow-Credentials', 'true');
-
         if(!$request->isFormContent())
             return 400;
 
@@ -195,9 +189,6 @@ class UploadsLegacyRoutes implements RouteHandler {
 
     #[HttpDelete('/uploads/([A-Za-z0-9]+|[A-Za-z0-9\-_]{32})')]
     public function deleteUpload($response, $request, string $uploadId) {
-        if($request->hasHeader('Origin'))
-            $response->setHeader('Access-Control-Allow-Credentials', 'true');
-
         if(!$this->authCtx->info->authed) {
             $response->setStatusCode(401);
             return [

src/Uploads/UploadsViewRoutes.php

@@ -28,9 +28,6 @@ class UploadsViewRoutes implements RouteHandler {
     #[HttpOptions('/([A-Za-z0-9]+|[A-Za-z0-9\-_]{32})(?:\.([a-z0-9]+))?')]
     public function optionsUpload($response, $request, string $uploadId, string $uploadVariant = ''): int {
         if($this->isApiDomain && $uploadVariant === '') {
-            if($request->hasHeader('Origin'))
-                $response->setHeader('Access-Control-Allow-Credentials', 'true');
-
             $response->setHeader('Access-Control-Allow-Headers', 'Authorization, Content-Type, Content-Length');
             $response->setHeader('Access-Control-Allow-Methods', 'HEAD, GET, PUT, DELETE');
             $response->setHeader('Access-Control-Max-Age', '300');