From 0919187a3ae33ee59bc47f78db82e1ef851a94cd Mon Sep 17 00:00:00 2001
From: Leo Lamprecht <mindrun@icloud.com>
Date: Fri, 10 Feb 2017 21:58:06 +0100
Subject: [PATCH] CORS headers should apply to all responses

---
 lib/server.js | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/lib/server.js b/lib/server.js
index 271801be..4c9fdd31 100644
--- a/lib/server.js
+++ b/lib/server.js
@@ -15,6 +15,21 @@ const stream = require('send')
 const renderDirectory = require('./render')
 
 module.exports = async (req, res, flags, current, ignoredFiles) => {
+  const headers = {}
+
+  if (flags.cors) {
+    headers['Access-Control-Allow-Origin'] = '*'
+    headers['Access-Control-Allow-Headers'] = 'Origin, X-Requested-With, Content-Type, Accept, Range'
+  }
+
+  for (const header in headers) {
+    if (!{}.hasOwnProperty.call(headers, header)) {
+      continue
+    }
+
+    res.setHeader(header, headers[header])
+  }
+
   if (flags.auth) {
     const credentials = auth(req)
 
@@ -100,21 +115,6 @@ module.exports = async (req, res, flags, current, ignoredFiles) => {
     return stream(req, indexPath).pipe(res)
   }
 
-  const headers = {}
-
-  if (flags.cors) {
-    headers['Access-Control-Allow-Origin'] = '*'
-    headers['Access-Control-Allow-Headers'] = 'Origin, X-Requested-With, Content-Type, Accept, Range'
-  }
-
-  for (const header in headers) {
-    if (!{}.hasOwnProperty.call(headers, header)) {
-      continue
-    }
-
-    res.setHeader(header, headers[header])
-  }
-
   // Serve files without a mime type as text
   stream.mime.default_type = 'text/plain'