From 831515b834b1bf465a5c64e69ce505d22f75b35b Mon Sep 17 00:00:00 2001
From: Simon Willison <swillison@gmail.com>
Date: Sun, 5 May 2019 07:59:45 -0400
Subject: [PATCH] Respect --cors for error pages, closes #453

---
 datasette/app.py  |  7 +++++--
 tests/test_api.py | 16 ++++++++++++++++
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/datasette/app.py b/datasette/app.py
index 69c644fa..d723a5bc 100644
--- a/datasette/app.py
+++ b/datasette/app.py
@@ -905,11 +905,14 @@ class Datasette:
                 {"ok": False, "error": message, "status": status, "title": title}
             )
             if request is not None and request.path.split("?")[0].endswith(".json"):
-                return response.json(info, status=status)
+                r = response.json(info, status=status)
 
             else:
                 template = self.jinja_env.select_template(templates)
-                return response.html(template.render(info), status=status)
+                r = response.html(template.render(info), status=status)
+            if self.cors:
+                r.headers["Access-Control-Allow-Origin"] = "*"
+            return r
 
         # First time server starts up, calculate table counts for immutable databases
         @app.listener("before_server_start")
diff --git a/tests/test_api.py b/tests/test_api.py
index 520cd0f8..a13e53e5 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -6,6 +6,7 @@ from .fixtures import (  # noqa
     app_client_shorter_time_limit,
     app_client_larger_cache_size,
     app_client_returned_rows_matches_page_size,
+    app_client_with_cors,
     app_client_with_dot,
     generate_compound_rows,
     generate_sortable_rows,
@@ -1474,3 +1475,18 @@ def test_trace(app_client):
     assert isinstance(traces["num_traces"], int)
     assert isinstance(traces["traces"], dict)
     assert len(traces["traces"]["queries"]) == traces["num_traces"]
+
+
+@pytest.mark.parametrize(
+    "path,status_code",
+    [
+        ("/fixtures.json", 200),
+        ("/fixtures/no_primary_key.json", 200),
+        # A 400 invalid SQL query should still have the header:
+        ("/fixtures.json?sql=select+blah", 400),
+    ],
+)
+def test_cors(app_client_with_cors, path, status_code):
+    response = app_client_with_cors.get(path)
+    assert response.status == status_code
+    assert "*" == response.headers["Access-Control-Allow-Origin"]