Summary
`https://fileshare.staging.postguard.eu/fileupload/init\` (and the rest of `/fileupload/`, `/filedownload/`) does not return CORS headers. Browser consumers calling from a different origin hit:
```
Access to fetch at 'https://fileshare.staging.postguard.eu/fileupload/init' from origin 'https://localhost:3000' has been blocked by CORS policy:
Response to preflight request doesn't pass access control check:
No 'Access-Control-Allow-Origin' header is present on the requested resource.
```
Affected callers
(The PostGuard website itself is presumably same-origin-ish or proxies through a Next/Svelte server route, so it doesn't see this.)
Suggested fix
Add CORS to the Cryptify endpoints, allowing at minimum:
The same fix is needed on production Cryptify (`fileshare.postguard.eu` if separate).
`Access-Control-Allow-Origin` plus `Access-Control-Allow-Headers: Content-Type, Authorization, ...` and the matching preflight `Access-Control-Allow-Methods: POST, GET, PUT, DELETE`.
Downstream
Even with CORS fixed, pg-js leaks an unhandled rejection when this path fails — tracked separately at encryption4all/postguard-js#32.
Repro
```bash
curl -i -X OPTIONS -H 'Origin: https://localhost:3000' -H 'Access-Control-Request-Method: POST' https://fileshare.staging.postguard.eu/fileupload/init
```
→ no `Access-Control-Allow-Origin` in the response.
Summary
`https://fileshare.staging.postguard.eu/fileupload/init\` (and the rest of `/fileupload/`, `/filedownload/`) does not return CORS headers. Browser consumers calling from a different origin hit:
```
Access to fetch at 'https://fileshare.staging.postguard.eu/fileupload/init' from origin 'https://localhost:3000' has been blocked by CORS policy:
Response to preflight request doesn't pass access control check:
No 'Access-Control-Allow-Origin' header is present on the requested resource.
```
Affected callers
(The PostGuard website itself is presumably same-origin-ish or proxies through a Next/Svelte server route, so it doesn't see this.)
Suggested fix
Add CORS to the Cryptify endpoints, allowing at minimum:
The same fix is needed on production Cryptify (`fileshare.postguard.eu` if separate).
`Access-Control-Allow-Origin` plus `Access-Control-Allow-Headers: Content-Type, Authorization, ...` and the matching preflight `Access-Control-Allow-Methods: POST, GET, PUT, DELETE`.
Downstream
Even with CORS fixed, pg-js leaks an unhandled rejection when this path fails — tracked separately at encryption4all/postguard-js#32.
Repro
```bash
curl -i -X OPTIONS -H 'Origin: https://localhost:3000' -H 'Access-Control-Request-Method: POST' https://fileshare.staging.postguard.eu/fileupload/init
```
→ no `Access-Control-Allow-Origin` in the response.