From bc1c789babe9f395b41f39a15e726f7427de3dfe Mon Sep 17 00:00:00 2001
From: Julius Volz <julius@soundcloud.com>
Date: Wed, 24 Jun 2015 17:26:49 +0200
Subject: [PATCH] Disallow cross-origin DELETE and POST requests.

---
 web/api/v1/api.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/api/v1/api.go b/web/api/v1/api.go
index 7ea276e37..79dec86a6 100644
--- a/web/api/v1/api.go
+++ b/web/api/v1/api.go
@@ -65,7 +65,7 @@ type API struct {
 // Enables cross-site script calls.
 func setCORS(w http.ResponseWriter) {
 	w.Header().Set("Access-Control-Allow-Headers", "Accept, Authorization, Content-Type, Origin")
-	w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE")
+	w.Header().Set("Access-Control-Allow-Methods", "GET")
 	w.Header().Set("Access-Control-Allow-Origin", "*")
 	w.Header().Set("Access-Control-Expose-Headers", "Date")
 }