From 342f5e9048be267fd4f6f80fced18482b1d7231a Mon Sep 17 00:00:00 2001 From: Melvin Carvalho Date: Fri, 8 May 2026 03:02:41 +0200 Subject: [PATCH] git handler: allow Git-Protocol in CORS preflight (#371) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Browser git clients on protocol v2 (e.g. isomorphic-git) send a Git-Protocol: version=2 request header. Without it in Access-Control-Allow-Headers, the preflight fails and the smart-HTTP flow never starts cross-origin. Two callsites — the OPTIONS preflight handler and the streaming-response header block both replied with the same hard-coded list. Adding "Git-Protocol" to both. The frontend's protocolVersion: 1 workaround can go away once a server with this fix ships. --- src/handlers/git.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/handlers/git.js b/src/handlers/git.js index 9a2a703..9e45c26 100644 --- a/src/handlers/git.js +++ b/src/handlers/git.js @@ -97,7 +97,7 @@ export async function handleGit(request, reply) { if (request.method === 'OPTIONS') { reply.header('Access-Control-Allow-Origin', '*'); reply.header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS'); - reply.header('Access-Control-Allow-Headers', 'Content-Type, Authorization'); + reply.header('Access-Control-Allow-Headers', 'Content-Type, Authorization, Git-Protocol'); return reply.code(200).send(); } @@ -217,7 +217,7 @@ export async function handleGit(request, reply) { // Add CORS headers for browser git clients reply.raw.setHeader('Access-Control-Allow-Origin', '*'); reply.raw.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS'); - reply.raw.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization'); + reply.raw.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, Git-Protocol'); reply.raw.writeHead(statusCode); headersSent = true;