From ae7847b64baed0865cbc322a5f60a2228d1f7c67 Mon Sep 17 00:00:00 2001
From: Nathan Coad <nathan@thecoads.com>
Date: Tue, 6 Jan 2026 20:03:09 +1100
Subject: [PATCH] adjustment of CORS

---
 cmd/server/main.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/cmd/server/main.go b/cmd/server/main.go
index 44e14f1..092ea0d 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -295,6 +295,11 @@ func openAPISpecHandler(w http.ResponseWriter, r *http.Request) {
 }
 
 func diagramHandler(w http.ResponseWriter, r *http.Request) {
+	if r.Method == http.MethodOptions {
+		addCORS(w)
+		w.WriteHeader(http.StatusNoContent)
+		return
+	}
 	id := r.URL.Query().Get("id")
 	if id == "" {
 		http.Error(w, "missing id", http.StatusBadRequest)
@@ -305,6 +310,7 @@ func diagramHandler(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "not found", http.StatusNotFound)
 		return
 	}
+	addCORS(w)
 	w.Header().Set("Content-Type", "application/xml")
 	_, _ = w.Write([]byte(xml))
 }
@@ -325,6 +331,12 @@ func buildDiagramsNetURL(r *http.Request, id string) string {
 	return "https://app.diagrams.net/?splash=0&ui=min&url=" + url.QueryEscape(base)
 }
 
+func addCORS(w http.ResponseWriter) {
+	w.Header().Set("Access-Control-Allow-Origin", "*")
+	w.Header().Set("Access-Control-Allow-Methods", "GET, OPTIONS")
+	w.Header().Set("Access-Control-Allow-Headers", "Content-Type")
+}
+
 func swaggerUIHandler(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
 		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)