From 74a9aae67a42612f9f1852c3b21ac9d684207390 Mon Sep 17 00:00:00 2001 From: pkuzco Date: Sat, 27 Sep 2025 08:44:47 +0200 Subject: [PATCH 1/2] Add Access-Control-Max-Age header to CORS responses --- synapse/http/server.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/synapse/http/server.py b/synapse/http/server.py index ce9d5630df2..0390b0c9bbd 100644 --- a/synapse/http/server.py +++ b/synapse/http/server.py @@ -973,6 +973,10 @@ def set_cors_headers(request: "SynapseRequest") -> None: request.setHeader( b"Access-Control-Allow-Methods", b"GET, HEAD, POST, PUT, DELETE, OPTIONS" ) + + # Allow browsers to cache preflight responses for 10 minutes + request.setHeader(b"Access-Control-Max-Age", b"600") + if request.path is not None and ( request.path == b"/_matrix/client/unstable/org.matrix.msc4108/rendezvous" or request.path.startswith(b"/_synapse/client/rendezvous") From 8db7763c0854adb7e0c48d3521342b766f6dd080 Mon Sep 17 00:00:00 2001 From: pkuzco Date: Mon, 29 Sep 2025 18:33:32 +0200 Subject: [PATCH 2/2] return Access-Control-Max-Age on OPTIONS requests only Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> --- synapse/http/server.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/synapse/http/server.py b/synapse/http/server.py index 0390b0c9bbd..e87842f0c7e 100644 --- a/synapse/http/server.py +++ b/synapse/http/server.py @@ -975,7 +975,8 @@ def set_cors_headers(request: "SynapseRequest") -> None: ) # Allow browsers to cache preflight responses for 10 minutes - request.setHeader(b"Access-Control-Max-Age", b"600") + if request.method == b"OPTIONS": + request.setHeader(b"Access-Control-Max-Age", b"600") if request.path is not None and ( request.path == b"/_matrix/client/unstable/org.matrix.msc4108/rendezvous"