Similarly to https://github.com/cyu/rack-cors/issues/162, I was getting duplicated headers with Rack::Cors. Not only with Access-Control-Allow-Origin, but also with other headers. The issue is that here Rack::Cors merges the existing headers into add_headers here:
This is a problem because headers is usually a Rack::Utils::HeaderHash, which is a case-insensitive hash. By merging it into a regular hash, the headers are now case-sensitive, allowing duplicates if they have different cases.
Similarly to https://github.com/cyu/rack-cors/issues/162, I was getting duplicated headers with
Rack::Cors
. Not only withAccess-Control-Allow-Origin
, but also with other headers. The issue is that hereRack::Cors
merges the existing headers intoadd_headers
here:https://github.com/cyu/rack-cors/blob/908ea29e1b0fdc4c6091ccb4eb92b6de1e370387/lib/rack/cors.rb#L103-L106
This is a problem because
headers
is usually a Rack::Utils::HeaderHash, which is a case-insensitive hash. By merging it into a regular hash, the headers are now case-sensitive, allowing duplicates if they have different cases.I think this could be solved by making this hash a
HeaderHash
instead of a normal hash: https://github.com/cyu/rack-cors/blob/908ea29e1b0fdc4c6091ccb4eb92b6de1e370387/lib/rack/cors/resource.rb#L61-L70