From 21227ce59f89d7136ee80ff5c02def9f37a0a25b Mon Sep 17 00:00:00 2001
From: Catherine <whitequark@whitequark.org>
Date: Sun, 21 Sep 2025 08:19:08 +0000
Subject: [PATCH] Only send `Access-Control-Allow-Origin:` in response to a
 CORS request.

This saves a bit of bandwidth. NFC otherwise.
---
 src/pages.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/pages.go b/src/pages.go
index 43f676a..5ba8b07 100644
--- a/src/pages.go
+++ b/src/pages.go
@@ -53,8 +53,10 @@ func getPage(w http.ResponseWriter, r *http.Request) error {
 		}
 	}
 
-	// allow JavaScript code to access responses (including errors) even across origins
-	w.Header().Set("Access-Control-Allow-Origin", "*")
+	if r.Header.Get("Origin") != "" {
+		// allow JavaScript code to access responses (including errors) even across origins
+		w.Header().Set("Access-Control-Allow-Origin", "*")
+	}
 
 	if sitePath == ".git-pages" {
 		// metadata directory name shouldn't be served even if present in site manifest