Make cors middleware more generic and link it just to application level

lib/cartodb/controllers/map/anonymous.js

@@ -1,7 +1,6 @@
 const windshaft = require('windshaft');
 const MapConfig = windshaft.model.MapConfig;
 const Datasource = windshaft.model.Datasource;
-const cors = require('../../middleware/cors');
 const cleanUpQueryParams = require('../../middleware/clean-up-query-params');
 const credentials = require('../../middleware/credentials');
 const dbConnSetup = require('../../middleware/db-conn-setup');
@@ -66,9 +65,9 @@ function AnonymousMapController (
 module.exports = AnonymousMapController;
 
 AnonymousMapController.prototype.register = function (mapRouter) {
+    mapRouter.options('/');
     mapRouter.get('/', this.composeCreateMapMiddleware());
     mapRouter.post('/', this.composeCreateMapMiddleware());
-    mapRouter.options('/', cors('Content-Type'));
 };
 
 AnonymousMapController.prototype.composeCreateMapMiddleware = function () {

lib/cartodb/controllers/template/admin.js

@@ -1,5 +1,4 @@
 const { templateName } = require('../../backends/template_maps');
-const cors = require('../../middleware/cors');
 const credentials = require('../../middleware/credentials');
 const rateLimit = require('../../middleware/rate-limit');
 const { RATE_LIMIT_ENDPOINTS_GROUPS } = rateLimit;
@@ -20,6 +19,8 @@ function AdminTemplateController(authApi, templateMaps, userLimitsApi) {
 module.exports = AdminTemplateController;
 
 AdminTemplateController.prototype.register = function (templateRouter) {
+    templateRouter.options(`/:template_id`);
+
     templateRouter.post(
         `/`,
         credentials(),
@@ -66,8 +67,6 @@ AdminTemplateController.prototype.register = function (templateRouter) {
         listTemplates({ templateMaps: this.templateMaps }),
         sendResponse()
     );
-
-    templateRouter.options(`/:template_id`, cors('Content-Type'));
 };
 
 function checkContentType ({ action, label }) {

lib/cartodb/middleware/cors.js

@@ -1,13 +1,17 @@
-module.exports = function cors (extraHeaders) {
+module.exports = function cors () {
     return function corsMiddleware (req, res, next) {
-        let baseHeaders = "X-Requested-With, X-Prototype-Version, X-CSRF-Token";
+        const headers = [
+            'X-Requested-With',
+            'X-Prototype-Version',
+            'X-CSRF-Token'
+        ];
 
-        if(extraHeaders) {
-            baseHeaders += ", " + extraHeaders;
+        if (req.method === 'OPTIONS') {
+            headers.push('Content-Type');
         }
 
         res.set("Access-Control-Allow-Origin", "*");
-        res.set("Access-Control-Allow-Headers", baseHeaders);
+        res.set("Access-Control-Allow-Headers", headers.join(', '));
 
         next();
     };