From 1ae4d881fd97dd7f03872a883df755181f32d197 Mon Sep 17 00:00:00 2001
From: Melissa LeBlanc-Williams <melissa@adafruit.com>
Date: Wed, 24 Aug 2022 14:50:42 -0700
Subject: [PATCH] Allow Move/Rename to be called from localhost

---
 docs/workflows.md                             | 2 +-
 supervisor/shared/web_workflow/web_workflow.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/workflows.md b/docs/workflows.md
index 7938c441f2..576bfbdb5b 100644
--- a/docs/workflows.md
+++ b/docs/workflows.md
@@ -138,7 +138,7 @@ root will be returned.
 When requested with the `OPTIONS` method, the server will respond with CORS related headers. Most
 aren't needed for API use. They are there for the web browser.
 
-* `Access-Control-Allow-Methods` - Varies with USB state. `GET, OPTIONS` when USB is active. `GET, OPTIONS, PUT, DELETE` otherwise.
+* `Access-Control-Allow-Methods` - Varies with USB state. `GET, OPTIONS` when USB is active. `GET, OPTIONS, PUT, DELETE, MOVE` otherwise.
 
 Example:
 
diff --git a/supervisor/shared/web_workflow/web_workflow.c b/supervisor/shared/web_workflow/web_workflow.c
index 3f942b91d3..5d6429aaa3 100644
--- a/supervisor/shared/web_workflow/web_workflow.c
+++ b/supervisor/shared/web_workflow/web_workflow.c
@@ -511,10 +511,10 @@ static void _reply_access_control(socketpool_socket_obj_t *socket, _request *req
         "HTTP/1.1 204 No Content\r\n",
         "Content-Length: 0\r\n",
         "Access-Control-Expose-Headers: Access-Control-Allow-Methods\r\n",
-        "Access-Control-Allow-Headers: X-Timestamp, Content-Type, Authorization\r\n",
+        "Access-Control-Allow-Headers: X-Timestamp, X-Destination, Content-Type, Authorization\r\n",
         "Access-Control-Allow-Methods:GET, OPTIONS", NULL);
     if (!_usb_active()) {
-        _send_str(socket, ", PUT, DELETE");
+        _send_str(socket, ", PUT, DELETE, MOVE");
         #if CIRCUITPY_USB_MSC
         usb_msc_unlock();
         #endif