# =====================================================================
#  Nadiplayer cPanel /.htaccess
#  Belt-and-braces CORS at the Apache level. Combined with cors.php this
#  guarantees the headers reach Tizen / webOS / Android / web clients.
# =====================================================================

<IfModule mod_headers.c>
    # Reflect the request's Origin header into Access-Control-Allow-Origin.
    # %{HTTP:ORIGIN}e is the literal string the browser sent. Tizen WGT
    # sends "null" (string) and that's fine — the directive echoes it back.
    SetEnvIf Origin "^(.*)$" CORS_ORIGIN=$1

    Header always set Access-Control-Allow-Origin "%{CORS_ORIGIN}e" env=CORS_ORIGIN
    Header always set Vary "Origin"
    Header always set Access-Control-Allow-Credentials "true"
    Header always set Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
    Header always set Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With, Accept, Origin, X-API-Key, X-Device-ID, X-App-Version"
    Header always set Access-Control-Expose-Headers "Content-Length, Content-Range, X-Proxy-Error"
    Header always set Access-Control-Max-Age "86400"
</IfModule>

# Short-circuit pre-flight OPTIONS requests with a 204 No Content so PHP
# scripts don't even need to run for them (faster, fewer moving parts).
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} OPTIONS
    RewriteRule ^(.*)$ $1 [R=204,L]
</IfModule>
