From b7294b390538a9119a9be915557fc28b1d700c3e Mon Sep 17 00:00:00 2001
From: chrislu <chris.lu@gmail.com>
Date: Mon, 14 Jul 2025 23:18:56 -0700
Subject: [PATCH] address comment

Service-level responses need both Access-Control-Allow-Methods and Access-Control-Allow-Headers. After setting Access-Control-Allow-Origin and Access-Control-Expose-Headers, also set Access-Control-Allow-Methods: * and Access-Control-Allow-Headers: * so service endpoints satisfy CORS preflight requirements.
---
 weed/s3api/s3err/error_handler.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/weed/s3api/s3err/error_handler.go b/weed/s3api/s3err/error_handler.go
index 2c0579770..81335c489 100644
--- a/weed/s3api/s3err/error_handler.go
+++ b/weed/s3api/s3err/error_handler.go
@@ -90,6 +90,8 @@ func setCommonHeaders(w http.ResponseWriter, r *http.Request) {
 		if !isBucketRequest && w.Header().Get("Access-Control-Allow-Origin") == "" {
 			// This is a service-level request (like OPTIONS /), apply static CORS
 			w.Header().Set("Access-Control-Allow-Origin", "*")
+			w.Header().Set("Access-Control-Allow-Methods", "*")
+			w.Header().Set("Access-Control-Allow-Headers", "*")
 			w.Header().Set("Access-Control-Expose-Headers", "*")
 			w.Header().Set("Access-Control-Allow-Credentials", "true")
 		}