From 651888640f1bd0ca816fede76d03a570a586fec4 Mon Sep 17 00:00:00 2001
From: Daniel Neto <me@danielneto.com>
Date: Tue, 29 Oct 2024 15:12:06 -0300
Subject: [PATCH] Update

---
 objects/functions.php | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/objects/functions.php b/objects/functions.php
index 3288de399266..c8fda1ee5af2 100644
--- a/objects/functions.php
+++ b/objects/functions.php
@@ -2543,6 +2543,7 @@ function allowOrigin()
     global $global;
     cleanUpAccessControlHeader();
 
+    // Determine origin to allow
     $HTTP_ORIGIN = empty($_SERVER['HTTP_ORIGIN']) ? @$_SERVER['HTTP_REFERER'] : $_SERVER['HTTP_ORIGIN'];
     if (empty($HTTP_ORIGIN)) {
         $server = parse_url($global['webSiteRootURL']);
@@ -2551,21 +2552,21 @@ function allowOrigin()
         header("Access-Control-Allow-Origin: " . $HTTP_ORIGIN);
     }
 
-    // Allow access from private networks, if needed
-    header('Access-Control-Allow-Private-Network: true');
+    // Allow credentials if needed
+    header("Access-Control-Allow-Credentials: true");
 
-    // Allow credentials (cookies, authorization headers, etc.) if needed
-    // Uncomment if required
-    // header("Access-Control-Allow-Credentials: true");
+    // Allow private network access
+    header('Access-Control-Allow-Private-Network: true');
 
-    // Specify allowed methods
+    // Set allowed methods
     header("Access-Control-Allow-Methods: GET, HEAD, OPTIONS, POST, PUT");
 
-    // Specify allowed headers, including cache-control
+    // Specify all allowed headers, including cache-control
     header("Access-Control-Allow-Headers: Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, cache-control");
 }
 
 
+
 function cleanUpAccessControlHeader()
 {
     if (!headers_sent()) {