From d3fd2fe5381144e9ecdcad2c32a11ff57409fdca Mon Sep 17 00:00:00 2001
From: Michael <theshadoweevee@shad.moe>
Date: Tue, 12 Nov 2024 20:41:42 -0600
Subject: [PATCH] Update snippets/global/common-headers.conf

---
 snippets/global/common-headers.conf | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/snippets/global/common-headers.conf b/snippets/global/common-headers.conf
index 5a4ee10..1e103d6 100644
--- a/snippets/global/common-headers.conf
+++ b/snippets/global/common-headers.conf
@@ -5,4 +5,27 @@ add_header X-Robots-Tag none;
 add_header Content-Security-Policy "frame-ancestors 'self'";
 add_header X-Frame-Options DENY;
 add_header Referrer-Policy same-origin;
-add_header Access-Control-Allow-Origin *;
\ No newline at end of file
+
+# CORS Permissive
+# Enable CORS for bsky.app
+set $cors "";
+if ($http_origin ~* "https?://(.*)\.bsky\.app") {
+    set $cors $http_origin;
+}
+
+add_header 'Access-Control-Allow-Origin' $cors always;
+
+add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
+add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization' always;
+add_header 'Access-Control-Allow-Credentials' 'true' always;
+
+# Handle preflight OPTIONS requests
+if ($request_method = 'OPTIONS') {
+    add_header 'Access-Control-Allow-Origin' 'https://bsky.app' always;
+    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
+    add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization' always;
+    add_header 'Access-Control-Allow-Credentials' 'true' always;
+    add_header 'Content-Length' 0;
+    add_header 'Access-Control-Max-Age' 1728000;
+    return 204;
+}
\ No newline at end of file