TiddlyWiki · kixam · Aug 28, 2025
diff --git a/core/modules/server/server.js b/core/modules/server/server.js
@@ -42,6 +42,8 @@ function Server(options) {
 	}
 	// Setup the default required plugins
 	this.requiredPlugins = this.get("required-plugins").split(',');
+	// Initialise CORS
+	this.corsDisable = this.get("cors-disable") === "yes";
 	// Initialise CSRF
 	this.csrfDisable = this.get("csrf-disable") === "yes";
 	// Initialize Gzip compression
@@ -256,6 +258,13 @@ Server.prototype.requestHandler = function(request,response,options) {
 	state.urlInfo = url.parse(request.url);
 	state.queryParameters = querystring.parse(state.urlInfo.query);
 	state.pathPrefix = options.pathPrefix || this.get("path-prefix") || "";
+	// Disable CORS
+	if(this.corsDisable) {
+		response.setHeader("Access-Control-Allow-Origin", "*");
+		response.setHeader("Access-Control-Allow-Headers", "*");
+		response.setHeader("Access-Control-Allow-Methods", "*");
+		response.setHeader("Access-Control-Expose-Headers", "*");
+	}
 	state.sendResponse = sendResponse.bind(self,request,response);
 	// Get the principals authorized to access this resource
 	state.authorizationType = options.authorizationType || this.methodMappings[request.method] || "readers";
@@ -280,6 +289,12 @@ Server.prototype.requestHandler = function(request,response,options) {
 		response.end();
 		return;
 	}
+	// Reply to OPTIONS
+	if(this.corsDisable && request.method === "OPTIONS") {
+		response.writeHead(204);
+		response.end();
+		return;
+	}
 	// Find the route that matches this path
 	var route = self.findMatchingRoute(request,state);
 	// Optionally output debug info