FIX: cors setting was broken

Some days I wonder why we bother taking a whole gem
dependency when 10 lines of code does the job right

Gemfile

@@ -208,8 +208,6 @@ gem 'htmlentities', require: false
 gem 'flamegraph', require: false
 gem 'rack-mini-profiler', require: false
 
-# used for caching, optional
-gem 'rack-cors', require: false
 gem 'unicorn', require: false
 gem 'puma', require: false
 gem 'rbtrace', require: false, platform: :mri

Gemfile.lock

@@ -248,7 +248,6 @@ GEM
     qunit-rails (0.0.7)
       railties
     rack (1.5.2)
-    rack-cors (0.2.9)
     rack-mini-profiler (0.9.1)
       rack (>= 1.1.3)
     rack-openid (1.3.1)
@@ -455,7 +454,6 @@ DEPENDENCIES
   pry-rails
   puma
   qunit-rails
-  rack-cors
   rack-mini-profiler
   rack-protection
   rails

config/initializers/08-rack-cors.rb

@@ -1,10 +1,23 @@
-if GlobalSetting.enable_cors
+if GlobalSetting.enable_cors && GlobalSetting.cors_origin.present?
-  require 'rack/cors'
 
-  Rails.configuration.middleware.use Rack::Cors do
+  class Discourse::Cors
-    allow do
+    def initialize(app, options = nil)
-      origins GlobalSetting.cors_origin.split(',').map(&:strip)
+      @app = app
-      resource '*', headers: :any, methods: [:get, :post, :options]
+      @origins = GlobalSetting.cors_origin.split(',').map(&:strip)
+    end
+
+    def call(env)
+      status, headers, body = @app.call(env)
+      origin = nil
+
+      if origin = env['HTTP_ORIGIN']
+        origin = nil unless @origins.include? origin
+      end
+
+      headers['Access-Control-Allow-Origin'] = origin || @origins[0]
+      [status,headers,body]
     end
   end
+
+  Rails.configuration.middleware.insert 0, Discourse::Cors
 end