Resto: fix CORS

CORS also requires to send the "Access-Control-Allow-Origin" header on
direct requests or requests following preflight requests.

vendors/ocplib-resto/lib_resto-cohttp/cors.ml

@@ -36,15 +36,18 @@ let find_matching_origin allowed_origins origin =
   | [] -> None
   | x :: _ -> Some x
 
+let add_allow_origin headers cors origin_header =
+  match origin_header with
+  | None -> headers
+  | Some origin ->
+      match find_matching_origin cors.allowed_origins origin with
+      | None -> headers
+      | Some allowed_origin ->
+          Cohttp.Header.add headers
+            "Access-Control-Allow-Origin" allowed_origin
+
 let add_headers headers cors origin_header =
   let cors_headers =
     Cohttp.Header.add_multi headers
       "Access-Control-Allow-Headers" cors.allowed_headers in
-  match origin_header with
-  | None -> cors_headers
-  | Some origin ->
-      match find_matching_origin cors.allowed_origins origin with
-      | None -> cors_headers
-      | Some allowed_origin ->
-          Cohttp.Header.add_multi cors_headers
-            "Access-Control-Allow-Origin" [allowed_origin]
+  add_allow_origin cors_headers cors origin_header

vendors/ocplib-resto/lib_resto-cohttp/cors.mli

@@ -14,6 +14,9 @@ type t = {
 
 val default: t
 
+val add_allow_origin:
+  Cohttp.Header.t -> t -> string option -> Cohttp.Header.t
+
 val add_headers:
   Cohttp.Header.t -> t -> string option -> Cohttp.Header.t
 

vendors/ocplib-resto/lib_resto-cohttp/server.ml

@@ -131,6 +131,8 @@ module Make (Encoding : Resto.ENCODING)(Log : LOGGING) = struct
           let headers = Header.init () in
           let headers =
             Header.add headers "content-type" output_content_type in
+          let headers = Cors.add_allow_origin
+              headers server.cors (Header.get req_headers "origin") in
           begin
             match s.types.input with
             | Service.No_input ->