From ecfdac67648582d39ac8da279777e10b0bdd2e81 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Fri, 5 Dec 2025 08:14:51 +0100
Subject: [PATCH] Fix CORS handling by adding 'always' to
 Access-Control-Allow-Origin

Ensures the header is included for all HTTP status codes, preventing CORS failures during logout requests.
Details: https://chatgpt.com/share/69328659-8d80-800f-9dbc-2bcf15923a1f
---
 roles/web-svc-logout/templates/logout-proxy.conf.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/web-svc-logout/templates/logout-proxy.conf.j2 b/roles/web-svc-logout/templates/logout-proxy.conf.j2
index 628f456d..6a5006b8 100644
--- a/roles/web-svc-logout/templates/logout-proxy.conf.j2
+++ b/roles/web-svc-logout/templates/logout-proxy.conf.j2
@@ -8,7 +8,7 @@ location = /logout {
     proxy_http_version 1.1;
 
     {# CORS headers – allow your central page to call this #}
-    {%- set aca_origin = domains | get_url('web-svc-logout', WEB_PROTOCOL) -%}
+    {%- set aca_origin = domains | get_url('web-svc-logout', WEB_PROTOCOL) ~ " always" -%}
     {%- set aca_credentials = "'true' always" -%}
     {%- set aca_methods = "'GET, OPTIONS' always" -%}
     {%- set aca_headers = "'Accept, Authorization' always" -%}