API: Add Access-Control-Allow-Headers in CORS preflight response

Otherwise a CORS request won't be able to properly make use of the new
header.

Bug: T76340
Change-Id: I1dbccdf928b85a4b194174d38f505787dd18f745

diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index 004bfae..7600066 100644 (file)
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -526,6 +526,7 @@ class ApiMain extends ApiBase {
                if ( $matchOrigin ) {
                        $response->header( "Access-Control-Allow-Origin: $originParam" );
                        $response->header( 'Access-Control-Allow-Credentials: true' );
+                       $response->header( 'Access-Control-Allow-Headers: Api-User-Agent' );
                        $this->getOutput()->addVaryHeader( 'Origin' );
                }