From 509edb3ff3e2dd484f504f96d4c9cae3ec77f3b2 Mon Sep 17 00:00:00 2001
From: Kern Walster <kern.walster@gmail.com>
Date: Mon, 23 Feb 2026 10:51:34 -0800
Subject: [PATCH] Add CORS headers to server APIs

---
 webserver/webserver.go | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/webserver/webserver.go b/webserver/webserver.go
index 83c27dff..efbb23d7 100644
--- a/webserver/webserver.go
+++ b/webserver/webserver.go
@@ -34,20 +34,22 @@ var StaticRoot string
 var Insecure bool
 
 func Serve(address string, dataDir string) error {
-	http.Handle("/", &fileHandler{http.Dir(StaticRoot)})
-	http.HandleFunc("/group/", groupHandler)
-	http.HandleFunc("/recordings",
+	serverMux := http.NewServeMux()
+	serverMux.Handle("/", &fileHandler{http.Dir(StaticRoot)})
+	serverMux.HandleFunc("/group/", groupHandler)
+	serverMux.HandleFunc("/recordings",
 		func(w http.ResponseWriter, r *http.Request) {
 			http.Redirect(w, r,
 				"/recordings/", http.StatusPermanentRedirect)
 		})
-	http.HandleFunc("/recordings/", recordingsHandler)
-	http.HandleFunc("/ws", wsHandler)
-	http.HandleFunc("/public-groups.json", publicHandler)
-	http.HandleFunc("/galene-api/", apiHandler)
+	serverMux.HandleFunc("/recordings/", recordingsHandler)
+	serverMux.HandleFunc("/ws", wsHandler)
+	serverMux.HandleFunc("/public-groups.json", publicHandler)
+	serverMux.HandleFunc("/galene-api/", apiHandler)
 
 	s := &http.Server{
 		Addr:              address,
+		Handler:           corsHandler(serverMux),
 		ReadHeaderTimeout: 60 * time.Second,
 		IdleTimeout:       120 * time.Second,
 	}
@@ -89,6 +91,13 @@ func Serve(address string, dataDir string) error {
 	return nil
 }
 
+func corsHandler(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		CheckOrigin(w, r, false)
+		next.ServeHTTP(w, r)
+	})
+}
+
 func cspHeader(w http.ResponseWriter, connect string) {
 	c := "connect-src ws: wss: 'self'; "
 	if connect != "" {