CORS: respect specification regarding Access-Control-Allow-Headers

According to the specification, the value of the response header Access-Control-Allow-Headers must contain at least all the values of the request header Access-Control-Request-Headers to be considered a valid request. Before this commit, only the Authorization value was present, which is enough for Firefox but not for Chrome. This should now work as expected.
2013-02-22 15:58:09 +01:00
parent ff57d0ecd4
commit 12404a2d5c
5 changed files with 28 additions and 2 deletions
--- a/library/server/ewsgi/specification/request/wgi_meta_names.e
+++ b/library/server/ewsgi/specification/request/wgi_meta_names.e
@@ -50,6 +50,8 @@ feature -- Access

 	http_transfer_encoding: STRING = "HTTP_TRANSFER_ENCODING"

+	http_access_control_request_headers: STRING = "HTTP_ACCESS_CONTROL_REQUEST_HEADERS"
+
 	gateway_interface: STRING = "GATEWAY_INTERFACE"

 	auth_type: STRING = "AUTH_TYPE"
--- a/library/server/ewsgi/specification/request/wgi_request.e
+++ b/library/server/ewsgi/specification/request/wgi_request.e
@@ -598,6 +598,12 @@ feature -- HTTP_*
 		deferred
 		end

+	http_access_control_request_headers: detachable READABLE_STRING_8
+			-- Indicates which headers will be used in the actual request
+                        -- as part of the preflight request
+		deferred
+		end
+
 feature -- Extra CGI environment variables

 	request_uri: READABLE_STRING_8
--- a/library/server/ewsgi/src/implementation/wgi_request_from_table.e
+++ b/library/server/ewsgi/src/implementation/wgi_request_from_table.e
@@ -241,6 +241,13 @@ feature -- Access: HTTP_* CGI meta parameters - 1.1
 			Result := meta_string_variable ({WGI_META_NAMES}.http_transfer_encoding)
 		end

+	http_access_control_request_headers: detachable READABLE_STRING_8
+			-- Indicates which headers will be used in the actual request
+                        -- as part of the preflight request
+		do
+			Result := meta_string_variable ({WGI_META_NAMES}.http_access_control_request_headers)
+		end
+
 feature -- Access: Extension to CGI meta parameters - 1.1

 	request_uri: READABLE_STRING_8
--- a/library/server/wsf/src/response/wsf_cors_options_response.e
+++ b/library/server/wsf/src/response/wsf_cors_options_response.e
@@ -40,9 +40,13 @@ feature {WSF_RESPONSE} -- Output
 		local
 			l_methods: WSF_REQUEST_METHODS
 		do
-			res.set_status_code ({HTTP_STATUS_CODE}.No_content)
+			res.set_status_code ({HTTP_STATUS_CODE}.Ok)
+			header.put_content_type ({HTTP_MIME_TYPES}.text_plain)
 			header.put_current_date
-			header.put_access_control_allow_headers ({HTTP_HEADER_NAMES}.header_authorization)
+			header.put_content_length (0)
+			if attached request.http_access_control_request_headers as l_headers then
+				header.put_access_control_allow_headers (l_headers)
+			end
 			l_methods := router.allowed_methods_for_request (request)
 			if not l_methods.is_empty then
 				header.put_allow (l_methods)
--- a/library/server/wsf/src/wsf_request.e
+++ b/library/server/wsf/src/wsf_request.e
@@ -958,6 +958,13 @@ feature -- HTTP_*
 			Result := wgi_request.http_transfer_encoding
 		end

+	http_access_control_request_headers: detachable READABLE_STRING_8
+			-- Indicates which headers will be used in the actual request
+                        -- as part of the preflight request
+		do
+			Result := wgi_request.http_access_control_request_headers
+		end
+
 feature -- Extra CGI environment variables

 	request_uri: READABLE_STRING_8