Access-Control-Allow-Headers: Authorization, Content-Type - refs #1922

datasette/utils/__init__.py

@@ -1129,7 +1129,7 @@ async def derive_named_parameters(db, sql):
 
 def add_cors_headers(headers):
     headers["Access-Control-Allow-Origin"] = "*"
-    headers["Access-Control-Allow-Headers"] = "Authorization"
+    headers["Access-Control-Allow-Headers"] = "Authorization, Content-Type"
     headers["Access-Control-Expose-Headers"] = "Link"
     headers["Access-Control-Allow-Methods"] = "GET, POST, HEAD, OPTIONS"
 

docs/json_api.rst

@@ -13,7 +13,7 @@ If you started Datasette with the ``--cors`` option, each JSON endpoint will be
 served with the following additional HTTP headers::
 
     Access-Control-Allow-Origin: *
-    Access-Control-Allow-Headers: Authorization
+    Access-Control-Allow-Headers: Authorization, Content-Type
     Access-Control-Expose-Headers: Link
     Access-Control-Allow-Methods: GET, POST, HEAD, OPTIONS
 

tests/test_api.py

@@ -912,7 +912,7 @@ def test_cors(
     response = app_client_with_cors.get(path)
     assert response.status == status_code
     assert response.headers["Access-Control-Allow-Origin"] == "*"
-    assert response.headers["Access-Control-Allow-Headers"] == "Authorization"
+    assert response.headers["Access-Control-Allow-Headers"] == "Authorization, Content-Type"
     assert response.headers["Access-Control-Expose-Headers"] == "Link"
     assert (
         response.headers["Access-Control-Allow-Methods"] == "GET, POST, HEAD, OPTIONS"