search

cyu / rack-cors

Rack Middleware for handling Cross-Origin Resource Sharing (CORS), which makes cross-origin AJAX possible.
MIT License
3.26k stars 263 forks source link

Rack::Cors modifies headers to be case-sensitive, producing duplicated headers #218

Closed dgmora closed 1 year ago

dgmora commented 3 years ago

Similarly to https://github.com/cyu/rack-cors/issues/162, I was getting duplicated headers with Rack::Cors. Not only with Access-Control-Allow-Origin, but also with other headers. The issue is that here Rack::Cors merges the existing headers into add_headers here:

https://github.com/cyu/rack-cors/blob/908ea29e1b0fdc4c6091ccb4eb92b6de1e370387/lib/rack/cors.rb#L103-L106

This is a problem because headers is usually a Rack::Utils::HeaderHash, which is a case-insensitive hash. By merging it into a regular hash, the headers are now case-sensitive, allowing duplicates if they have different cases.

I think this could be solved by making this hash a HeaderHash instead of a normal hash: https://github.com/cyu/rack-cors/blob/908ea29e1b0fdc4c6091ccb4eb92b6de1e370387/lib/rack/cors/resource.rb#L61-L70

cyu commented 1 year ago

Fixed in [862a7768a6786931d3f3458a73e67fbae31ae71d]