From d050a7001797a3b84ef244f53bbbe380a1bd7fe3 Mon Sep 17 00:00:00 2001
From: David Larlet <david@larlet.fr>
Date: Wed, 13 Mar 2024 14:02:34 -0400
Subject: [PATCH] Set CORS-related header for oEmbed and map views

---
 umap/tests/test_map_views.py | 8 ++++++++
 umap/views.py                | 8 ++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/umap/tests/test_map_views.py b/umap/tests/test_map_views.py
index 2e2046cc..7f9299a2 100644
--- a/umap/tests/test_map_views.py
+++ b/umap/tests/test_map_views.py
@@ -148,6 +148,13 @@ def test_should_not_consider_the_query_string_for_canonical_check(client, map):
     assert response.status_code == 200
 
 
+def test_map_headers(client, map):
+    url = reverse("map", kwargs={"map_id": map.pk, "slug": map.slug})
+    response = client.get(url)
+    assert response.status_code == 200
+    assert response.headers["Access-Control-Allow-Origin"] == "*"
+
+
 def test_short_url_should_redirect_to_canonical(client, map):
     url = reverse("map_short_url", kwargs={"pk": map.pk})
     canonical = reverse("map", kwargs={"map_id": map.pk, "slug": map.slug})
@@ -804,6 +811,7 @@ def test_oembed_map(client, map, datalayer):
     url = f"{reverse('map_oembed')}?url=http://testserver{map.get_absolute_url()}"
     response = client.get(url)
     assert response.status_code == 200
+    assert response.headers["Access-Control-Allow-Origin"] == "*"
     j = json.loads(response.content.decode())
     assert j["type"] == "rich"
     assert j["version"] == "1.0"
diff --git a/umap/views.py b/umap/views.py
index 2929716c..4d1033f2 100644
--- a/umap/views.py
+++ b/umap/views.py
@@ -615,7 +615,9 @@ class MapView(MapDetailMixin, PermissionsMixin, DetailView):
             if request.META.get("QUERY_STRING"):
                 canonical = "?".join([canonical, request.META["QUERY_STRING"]])
             return HttpResponsePermanentRedirect(canonical)
-        return super(MapView, self).get(request, *args, **kwargs)
+        response = super(MapView, self).get(request, *args, **kwargs)
+        response["Access-Control-Allow-Origin"] = "*"
+        return response
 
     def get_canonical_url(self):
         return self.object.get_absolute_url()
@@ -724,7 +726,9 @@ class MapOEmbed(View):
             f'<p><a href="//{netloc}{map_url}">{label}</a></p>'
         )
         data["html"] = html
-        return simple_json_response(**data)
+        response = simple_json_response(**data)
+        response["Access-Control-Allow-Origin"] = "*"
+        return response
 
 
 class MapViewGeoJSON(MapView):