Fix Access-Control-Allow-Headers bug

If the Access-Control-Request-Headers header is not passed,
Access-Control-Allow-Headers was being set to nil.  Which then causes
rack to through an error.

lib/sinatra/cors.rb

@@ -16,8 +16,8 @@ def cors
               return
             end
 
-            response.headers["Access-Control-Allow-Headers"] = request.env["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"]
-            response.headers["Access-Control-Allow-Methods"] = request.env["HTTP_ACCESS_CONTROL_REQUEST_METHOD"]
+            response.headers["Access-Control-Allow-Headers"] = request_headers if request_headers
+            response.headers["Access-Control-Allow-Methods"] = request_method
             response.headers["Access-Control-Max-Age"] = settings.max_age if settings.max_age?
           else
             response.headers["Access-Control-Expose-Headers"] = settings.expose_headers if settings.expose_headers?
@@ -71,6 +71,14 @@ def allowed_methods
         matches.uniq
       end
 
+      def request_headers
+        request.env["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"]
+      end
+
+      def request_method
+        request.env["HTTP_ACCESS_CONTROL_REQUEST_METHOD"]
+      end
+
       private
 
       def bad_method_message

spec/cors_spec.rb

@@ -48,33 +48,49 @@ def app
   end
 
   describe "A valid CORS preflight request" do
-    before :all do
-      rack_env = {
-        "HTTP_ORIGIN" => "http://example.com",
-        "HTTP_ACCESS_CONTROL_REQUEST_METHOD" => "GET",
-        "HTTP_ACCESS_CONTROL_REQUEST_HEADERS" => "if-modified-since"
-      }
-      options "/foo/1", {}, rack_env
-    end
-
-    it "should be handled for all routes" do
-      expect(last_response).to be_ok
-    end
-
-    it "should have an Allow header build from existing routes" do
-      expect(last_response["Allow"]).to eq("OPTIONS,GET,HEAD,DELETE")
-    end
-
-    it "should have an Access-Control-Allow-Methods header that includes only the method requested" do
-      expect(last_response["Access-Control-Allow-Methods"]).to eq("GET")
-    end
-
-    it "should have an Access-Control-Allow-Origin header that includes only the origin of the request" do
-      expect(last_response["Access-Control-Allow-Origin"]).to eq("http://example.com")
-    end
-
-    it "should have an Access-Control-Allow-Headers header that includes only the headers requested" do
-      expect(last_response["Access-Control-Allow-Headers"]).to eq("if-modified-since")
+    describe "with an Access-Control-Request-Headers header" do
+      before :all do
+        rack_env = {
+          "HTTP_ORIGIN" => "http://example.com",
+          "HTTP_ACCESS_CONTROL_REQUEST_METHOD" => "GET",
+          "HTTP_ACCESS_CONTROL_REQUEST_HEADERS" => "if-modified-since"
+        }
+        options "/foo/1", {}, rack_env
+      end
+
+      it "should be handled for all routes" do
+        expect(last_response).to be_ok
+      end
+
+      it "should have an Allow header build from existing routes" do
+        expect(last_response["Allow"]).to eq("OPTIONS,GET,HEAD,DELETE")
+      end
+
+      it "should have an Access-Control-Allow-Methods header that includes only the method requested" do
+        expect(last_response["Access-Control-Allow-Methods"]).to eq("GET")
+      end
+
+      it "should have an Access-Control-Allow-Origin header that includes only the origin of the request" do
+        expect(last_response["Access-Control-Allow-Origin"]).to eq("http://example.com")
+      end
+
+      it "should have an Access-Control-Allow-Headers header that includes only the headers requested" do
+        expect(last_response["Access-Control-Allow-Headers"]).to eq("if-modified-since")
+      end
+    end
+
+    describe "without an Access-Control-Request-Headers header" do
+      before :all do
+        rack_env = {
+          "HTTP_ORIGIN" => "http://example.com",
+          "HTTP_ACCESS_CONTROL_REQUEST_METHOD" => "GET"
+        }
+        options "/foo/1", {}, rack_env
+      end
+
+      it "should not have an Access-Control-Allow-Headers header" do
+        expect(last_response.has_header? "Access-Control-Allow-Headers").to eq(false)
+      end
     end
   end