From 12404a2d5cf309229735d6f6ced7f86c6d3fcf8e Mon Sep 17 00:00:00 2001 From: Olivier Ligot Date: Fri, 22 Feb 2013 15:58:09 +0100 Subject: [PATCH] CORS: respect specification regarding Access-Control-Allow-Headers According to the specification, the value of the response header Access-Control-Allow-Headers must contain at least all the values of the request header Access-Control-Request-Headers to be considered a valid request. Before this commit, only the Authorization value was present, which is enough for Firefox but not for Chrome. This should now work as expected. --- .../server/ewsgi/specification/request/wgi_meta_names.e | 2 ++ library/server/ewsgi/specification/request/wgi_request.e | 6 ++++++ .../ewsgi/src/implementation/wgi_request_from_table.e | 7 +++++++ .../server/wsf/src/response/wsf_cors_options_response.e | 8 ++++++-- library/server/wsf/src/wsf_request.e | 7 +++++++ 5 files changed, 28 insertions(+), 2 deletions(-) diff --git a/library/server/ewsgi/specification/request/wgi_meta_names.e b/library/server/ewsgi/specification/request/wgi_meta_names.e index 4b2f10b8..7eeb913e 100644 --- a/library/server/ewsgi/specification/request/wgi_meta_names.e +++ b/library/server/ewsgi/specification/request/wgi_meta_names.e @@ -50,6 +50,8 @@ feature -- Access http_transfer_encoding: STRING = "HTTP_TRANSFER_ENCODING" + http_access_control_request_headers: STRING = "HTTP_ACCESS_CONTROL_REQUEST_HEADERS" + gateway_interface: STRING = "GATEWAY_INTERFACE" auth_type: STRING = "AUTH_TYPE" diff --git a/library/server/ewsgi/specification/request/wgi_request.e b/library/server/ewsgi/specification/request/wgi_request.e index 1dccd709..86e1e489 100644 --- a/library/server/ewsgi/specification/request/wgi_request.e +++ b/library/server/ewsgi/specification/request/wgi_request.e @@ -598,6 +598,12 @@ feature -- HTTP_* deferred end + http_access_control_request_headers: detachable READABLE_STRING_8 + -- Indicates which headers will be used in the actual request + -- as part of the preflight request + deferred + end + feature -- Extra CGI environment variables request_uri: READABLE_STRING_8 diff --git a/library/server/ewsgi/src/implementation/wgi_request_from_table.e b/library/server/ewsgi/src/implementation/wgi_request_from_table.e index 2bfa00d6..79fb3007 100644 --- a/library/server/ewsgi/src/implementation/wgi_request_from_table.e +++ b/library/server/ewsgi/src/implementation/wgi_request_from_table.e @@ -241,6 +241,13 @@ feature -- Access: HTTP_* CGI meta parameters - 1.1 Result := meta_string_variable ({WGI_META_NAMES}.http_transfer_encoding) end + http_access_control_request_headers: detachable READABLE_STRING_8 + -- Indicates which headers will be used in the actual request + -- as part of the preflight request + do + Result := meta_string_variable ({WGI_META_NAMES}.http_access_control_request_headers) + end + feature -- Access: Extension to CGI meta parameters - 1.1 request_uri: READABLE_STRING_8 diff --git a/library/server/wsf/src/response/wsf_cors_options_response.e b/library/server/wsf/src/response/wsf_cors_options_response.e index a0790a0b..0c928e2a 100644 --- a/library/server/wsf/src/response/wsf_cors_options_response.e +++ b/library/server/wsf/src/response/wsf_cors_options_response.e @@ -40,9 +40,13 @@ feature {WSF_RESPONSE} -- Output local l_methods: WSF_REQUEST_METHODS do - res.set_status_code ({HTTP_STATUS_CODE}.No_content) + res.set_status_code ({HTTP_STATUS_CODE}.Ok) + header.put_content_type ({HTTP_MIME_TYPES}.text_plain) header.put_current_date - header.put_access_control_allow_headers ({HTTP_HEADER_NAMES}.header_authorization) + header.put_content_length (0) + if attached request.http_access_control_request_headers as l_headers then + header.put_access_control_allow_headers (l_headers) + end l_methods := router.allowed_methods_for_request (request) if not l_methods.is_empty then header.put_allow (l_methods) diff --git a/library/server/wsf/src/wsf_request.e b/library/server/wsf/src/wsf_request.e index d90d89b2..6cc4e65d 100644 --- a/library/server/wsf/src/wsf_request.e +++ b/library/server/wsf/src/wsf_request.e @@ -958,6 +958,13 @@ feature -- HTTP_* Result := wgi_request.http_transfer_encoding end + http_access_control_request_headers: detachable READABLE_STRING_8 + -- Indicates which headers will be used in the actual request + -- as part of the preflight request + do + Result := wgi_request.http_access_control_request_headers + end + feature -- Extra CGI environment variables request_uri: READABLE_STRING_8