From 54da239e0f2fad6e1f7e36bc9226ed04942439cf Mon Sep 17 00:00:00 2001
From: Chris Kalafarski <chris@farski.com>
Date: Wed, 11 Mar 2026 13:41:13 -0400
Subject: [PATCH] Add CORS support to Dovetail CDN

---
 cdn/dovetail-cdn/cloudfront.yml               | 24 +++++++++++++------
 .../templates/apps/dovetail-cdn-arranger.yml  |  9 +++++++
 2 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/cdn/dovetail-cdn/cloudfront.yml b/cdn/dovetail-cdn/cloudfront.yml
index a8fd3e40..7baf9beb 100644
--- a/cdn/dovetail-cdn/cloudfront.yml
+++ b/cdn/dovetail-cdn/cloudfront.yml
@@ -200,6 +200,9 @@ Resources:
   CloudFrontCachePolicy:
     Type: AWS::CloudFront::CachePolicy
     Properties:
+      # The headers, cookies, and query strings that are included in the
+      # CACHE KEY (CachePolicyConfig) are also included in requests that
+      # CloudFront sends to the origin.
       CachePolicyConfig:
         Comment: !Sub Policy for ${AWS::StackName}
         DefaultTTL: 86400
@@ -212,12 +215,19 @@ Resources:
           EnableAcceptEncodingBrotli: false
           EnableAcceptEncodingGzip: false
           HeadersConfig:
-            HeaderBehavior: none
+            HeaderBehavior: whitelist
+            Headers:
+              - Origin
+              - Access-Control-Request-Headers
+              - Access-Control-Request-Method
           QueryStringsConfig:
             QueryStringBehavior: none
   CloudFrontOriginRequestPolicy:
     Type: AWS::CloudFront::OriginRequestPolicy
     Properties:
+      # The headers, cookies, and query strings that are included in the
+      # CACHE KEY (CachePolicyConfig) are also included in requests that
+      # CloudFront sends to the origin.
       OriginRequestPolicyConfig:
         Comment: !Sub Policy for ${AWS::StackName}
         CookiesConfig:
@@ -331,8 +341,8 @@ Resources:
         CacheBehaviors:
           - Fn::If:
               - HasRegion1
-              - AllowedMethods: [HEAD, GET]
-                CachedMethods: [HEAD, GET]
+              - AllowedMethods: [HEAD, GET, OPTIONS]
+                CachedMethods: [HEAD, GET, OPTIONS]
                 CachePolicyId: !Ref CloudFrontCachePolicy
                 Compress: false
                 FunctionAssociations:
@@ -349,8 +359,8 @@ Resources:
               - !Ref AWS::NoValue
           - Fn::If:
               - HasRegion2
-              - AllowedMethods: [HEAD, GET]
-                CachedMethods: [HEAD, GET]
+              - AllowedMethods: [HEAD, GET, OPTIONS]
+                CachedMethods: [HEAD, GET, OPTIONS]
                 CachePolicyId: !Ref CloudFrontCachePolicy
                 Compress: false
                 FunctionAssociations:
@@ -367,8 +377,8 @@ Resources:
               - !Ref AWS::NoValue
           - Fn::If:
               - HasRegion3
-              - AllowedMethods: [HEAD, GET]
-                CachedMethods: [HEAD, GET]
+              - AllowedMethods: [HEAD, GET, OPTIONS]
+                CachedMethods: [HEAD, GET, OPTIONS]
                 CachePolicyId: !Ref CloudFrontCachePolicy
                 Compress: false
                 FunctionAssociations:
diff --git a/spire/templates/apps/dovetail-cdn-arranger.yml b/spire/templates/apps/dovetail-cdn-arranger.yml
index 24bdc340..338ec156 100644
--- a/spire/templates/apps/dovetail-cdn-arranger.yml
+++ b/spire/templates/apps/dovetail-cdn-arranger.yml
@@ -43,6 +43,15 @@ Resources:
     DeletionPolicy: Retain
     UpdateReplacePolicy: Retain
     Properties:
+      CorsConfiguration:
+        CorsRules:
+          - AllowedHeaders:
+              - "*"
+            AllowedMethods:
+              - GET
+              - HEAD
+            AllowedOrigins:
+              - "*"
       LifecycleConfiguration:
         Rules:
           - ExpirationInDays: 1