address comment

Service-level responses need both Access-Control-Allow-Methods and Access-Control-Allow-Headers. After setting Access-Control-Allow-Origin and Access-Control-Expose-Headers, also set Access-Control-Allow-Methods: * and Access-Control-Allow-Headers: * so service endpoints satisfy CORS preflight requirements.

weed/s3api/s3err/error_handler.go

@@ -90,6 +90,8 @@ func setCommonHeaders(w http.ResponseWriter, r *http.Request) {
 		if !isBucketRequest && w.Header().Get("Access-Control-Allow-Origin") == "" {
 			// This is a service-level request (like OPTIONS /), apply static CORS
 			w.Header().Set("Access-Control-Allow-Origin", "*")
+			w.Header().Set("Access-Control-Allow-Methods", "*")
+			w.Header().Set("Access-Control-Allow-Headers", "*")
 			w.Header().Set("Access-Control-Expose-Headers", "*")
 			w.Header().Set("Access-Control-Allow-Credentials", "true")
 		}