diff --git a/lib/sinatra/cors.rb b/lib/sinatra/cors.rb index a887059..0acf670 100644 --- a/lib/sinatra/cors.rb +++ b/lib/sinatra/cors.rb @@ -16,8 +16,8 @@ def cors return end - response.headers["Access-Control-Allow-Headers"] = request.env["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"] - response.headers["Access-Control-Allow-Methods"] = request.env["HTTP_ACCESS_CONTROL_REQUEST_METHOD"] + response.headers["Access-Control-Allow-Headers"] = request_headers if request_headers + response.headers["Access-Control-Allow-Methods"] = request_method response.headers["Access-Control-Max-Age"] = settings.max_age if settings.max_age? else response.headers["Access-Control-Expose-Headers"] = settings.expose_headers if settings.expose_headers? @@ -71,6 +71,14 @@ def allowed_methods matches.uniq end + def request_headers + request.env["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"] + end + + def request_method + request.env["HTTP_ACCESS_CONTROL_REQUEST_METHOD"] + end + private def bad_method_message diff --git a/spec/cors_spec.rb b/spec/cors_spec.rb index 2390d0d..b27e92e 100644 --- a/spec/cors_spec.rb +++ b/spec/cors_spec.rb @@ -48,33 +48,49 @@ def app end describe "A valid CORS preflight request" do - before :all do - rack_env = { - "HTTP_ORIGIN" => "http://example.com", - "HTTP_ACCESS_CONTROL_REQUEST_METHOD" => "GET", - "HTTP_ACCESS_CONTROL_REQUEST_HEADERS" => "if-modified-since" - } - options "/foo/1", {}, rack_env - end - - it "should be handled for all routes" do - expect(last_response).to be_ok - end - - it "should have an Allow header build from existing routes" do - expect(last_response["Allow"]).to eq("OPTIONS,GET,HEAD,DELETE") - end - - it "should have an Access-Control-Allow-Methods header that includes only the method requested" do - expect(last_response["Access-Control-Allow-Methods"]).to eq("GET") - end - - it "should have an Access-Control-Allow-Origin header that includes only the origin of the request" do - expect(last_response["Access-Control-Allow-Origin"]).to eq("http://example.com") - end - - it "should have an Access-Control-Allow-Headers header that includes only the headers requested" do - expect(last_response["Access-Control-Allow-Headers"]).to eq("if-modified-since") + describe "with an Access-Control-Request-Headers header" do + before :all do + rack_env = { + "HTTP_ORIGIN" => "http://example.com", + "HTTP_ACCESS_CONTROL_REQUEST_METHOD" => "GET", + "HTTP_ACCESS_CONTROL_REQUEST_HEADERS" => "if-modified-since" + } + options "/foo/1", {}, rack_env + end + + it "should be handled for all routes" do + expect(last_response).to be_ok + end + + it "should have an Allow header build from existing routes" do + expect(last_response["Allow"]).to eq("OPTIONS,GET,HEAD,DELETE") + end + + it "should have an Access-Control-Allow-Methods header that includes only the method requested" do + expect(last_response["Access-Control-Allow-Methods"]).to eq("GET") + end + + it "should have an Access-Control-Allow-Origin header that includes only the origin of the request" do + expect(last_response["Access-Control-Allow-Origin"]).to eq("http://example.com") + end + + it "should have an Access-Control-Allow-Headers header that includes only the headers requested" do + expect(last_response["Access-Control-Allow-Headers"]).to eq("if-modified-since") + end + end + + describe "without an Access-Control-Request-Headers header" do + before :all do + rack_env = { + "HTTP_ORIGIN" => "http://example.com", + "HTTP_ACCESS_CONTROL_REQUEST_METHOD" => "GET" + } + options "/foo/1", {}, rack_env + end + + it "should not have an Access-Control-Allow-Headers header" do + expect(last_response.has_header? "Access-Control-Allow-Headers").to eq(false) + end end end