2 files changed, 23 insertions, 0 deletions

diff --git a/p/api/greader.php b/p/api/greader.php
index 9c3479546..a19512cfd 100644
--- a/p/api/greader.php
+++ b/p/api/greader.php
@@ -113,6 +113,12 @@ function debugInfo(): string {
 final class GReaderAPI {
 
 	/** @return never */
+	private static function noContent() {
+		header('HTTP/1.1 204 No Content');
+		exit();
+	}
+
+	/** @return never */
 	private static function badRequest() {
 		Minz_Log::warning(__METHOD__, API_LOG);
 		Minz_Log::debug(__METHOD__ . ' ' . debugInfo(), API_LOG);
@@ -987,6 +993,14 @@ final class GReaderAPI {
 	public static function parse() {
 		global $ORIGINAL_INPUT;
 
+		header('Access-Control-Allow-Headers: Authorization');
+		header('Access-Control-Allow-Methods: GET, POST');
+		header('Access-Control-Allow-Origin: *');
+		header('Access-Control-Max-Age: 600');
+		if (($_SERVER['REQUEST_METHOD'] ?? '') === 'OPTIONS') {
+			self::noContent();
+		}
+
 		$pathInfo = '';
 		if (empty($_SERVER['PATH_INFO'])) {
 			if (!empty($_SERVER['ORIG_PATH_INFO'])) {
diff --git a/p/api/query.php b/p/api/query.php
index 8fe3c44b0..fff48503e 100644
--- a/p/api/query.php
+++ b/p/api/query.php
@@ -159,6 +159,15 @@ if ($query->getName() != '') {
 }
 FreshRSS_Context::systemConf()->allow_anonymous = true;
 
+header('Access-Control-Allow-Methods: GET');
+header('Access-Control-Allow-Origin: *');
+header('Access-Control-Max-Age: 600');
+header('Cache-Control: public, max-age=60');
+if (($_SERVER['REQUEST_METHOD'] ?? '') === 'OPTIONS') {
+	header('HTTP/1.1 204 No Content');
+	exit();
+}
+
 if (in_array($format, ['rss', 'atom'], true)) {
 	header('Content-Type: application/rss+xml; charset=utf-8');
 	$view->_layout(null);