From 5817a8a5f8700214eb5fc53f5519aa6c9f56d62a Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Mon, 19 Jun 2017 18:20:44 -0400
Subject: [PATCH] Return error on bad CORS and add Header specification to API
 request primitive

---
 api/request.go | 9 +++++++++
 http/cors.go   | 3 ++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/api/request.go b/api/request.go
index 685e2d7e4..83a28bd9f 100644
--- a/api/request.go
+++ b/api/request.go
@@ -14,6 +14,7 @@ type Request struct {
 	Method      string
 	URL         *url.URL
 	Params      url.Values
+	Headers     http.Header
 	ClientToken string
 	WrapTTL     string
 	Obj         interface{}
@@ -60,6 +61,14 @@ func (r *Request) ToHTTP() (*http.Request, error) {
 	req.URL.Host = r.URL.Host
 	req.Host = r.URL.Host
 
+	if r.Headers != nil {
+		for header, vals := range r.Headers {
+			for _, val := range vals {
+				req.Header.Add(header, val)
+			}
+		}
+	}
+
 	if len(r.ClientToken) != 0 {
 		req.Header.Set("X-Vault-Token", r.ClientToken)
 	}
diff --git a/http/cors.go b/http/cors.go
index 5bd0a1366..2a25a377f 100644
--- a/http/cors.go
+++ b/http/cors.go
@@ -1,6 +1,7 @@
 package http
 
 import (
+	"fmt"
 	"net/http"
 	"strings"
 
@@ -40,7 +41,7 @@ func wrapCORSHandler(h http.Handler, core *vault.Core) http.Handler {
 		// Return a 403 if the origin is not
 		// allowed to make cross-origin requests.
 		if !corsConf.IsValidOrigin(origin) {
-			w.WriteHeader(http.StatusForbidden)
+			respondError(w, http.StatusForbidden, fmt.Errorf("origin not allowed"))
 			return
 		}