From de11ece3377d0c52292ca426560ad55e60b3e0e6 Mon Sep 17 00:00:00 2001
From: Sindhu Balasubramanian <sindhuba@microsoft.com>
Date: Mon, 12 Jan 2026 17:07:23 -0800
Subject: [PATCH] Cleanup CORSByPass

---
 test/CORSBypass.ts | 20 ++++++--------------
 1 file changed, 6 insertions(+), 14 deletions(-)

diff --git a/test/CORSBypass.ts b/test/CORSBypass.ts
index 881013c69..14d567263 100644
--- a/test/CORSBypass.ts
+++ b/test/CORSBypass.ts
@@ -11,7 +11,7 @@ export async function setupCORSBypass(page: Page) {
       return;
     }
 
-    //// Handle preflight (OPTIONS) requests separately.
+    // Handle preflight (OPTIONS) requests separately.
     // These should not be forwarded to the target server.
     if (request.method() === "OPTIONS") {
       await route.fulfill({
@@ -20,8 +20,7 @@ export async function setupCORSBypass(page: Page) {
           "Access-Control-Allow-Origin": origin,
           "Access-Control-Allow-Credentials": "true",
           "Access-Control-Allow-Methods": "GET,POST,PUT,DELETE,OPTIONS,HEAD",
-          "Access-Control-Request-Headers": "*, x-ms-continuation",
-          "Access-Control-Max-Age": "86400", // Cache preflight response for 1 day
+          "Access-Control-Allow-Headers": request.headers()["access-control-request-headers"] || "*",
           Vary: "Origin",
         },
       });
@@ -35,21 +34,14 @@ export async function setupCORSBypass(page: Page) {
       },
     });
 
-    const responseHeaders = response.headers();
-    // Clean up any pre-existing CORS headers from the real response to avoid conflicts.
-    delete responseHeaders["access-control-allow-origin"];
-    delete responseHeaders["access-control-allow-credentials"];
-
     await route.fulfill({
       status: response.status(),
       headers: {
-        ...responseHeaders,
-        "Access-Control-Allow-Origin": origin,
-        "Access-Control-Allow-Credentials": "true",
-        "Access-Control-Allow-Methods": "GET,POST,PUT,DELETE,OPTIONS,HEAD",
+        ...response.headers(),
+        "Access-Control-Allow-Origin": "*",
+        "Access-Control-Allow-Methods": "*",
         "Access-Control-Allow-Headers": "*",
-        "Access-Control-Expose-Headers": "x-ms-continuation,x-ms-request-charge,x-ms-session-token",
-        Vary: "Origin",
+        "Access-Control-Allow-Credentials": "*",
       },
       body: await response.body(),
     });