Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Why is "allow_headers" now a case-sensitive match? #187

Closed
satterly opened this issue Sep 6, 2016 · 4 comments
Closed

Why is "allow_headers" now a case-sensitive match? #187

satterly opened this issue Sep 6, 2016 · 4 comments

Comments

@satterly
Copy link

satterly commented Sep 6, 2016

With version 3.x the list of headers returned by Access-Control-Allow-Headers is now a case-sensitive match against the list of headers defined in the CORS_ALLOW_HEADERS setting.

For example, with version 2.1.3 if the setting for "allow_headers" was ...

CORS_ALLOW_HEADERS = ['Content-Type', 'Authorization']

... then the following works ...

$ http OPTIONS :5000 Origin:http://localhost:5001 Access-Control-Request-Headers:'authorization, Content-type' Access-Control-Request-Method:GET
OPTIONS / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Access-Control-Request-Headers: authorization, Content-type
Access-Control-Request-Method: GET
Connection: keep-alive
Content-Length: 0
Host: localhost:5000
Origin: http://localhost:5001
User-Agent: HTTPie/0.9.3

HTTP/1.0 200 OK
Access-Control-Allow-Headers: Content-type, authorization
Access-Control-Allow-Methods: DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT
Access-Control-Allow-Origin: http://localhost:5001
Allow: HEAD, GET, POST, OPTIONS
Content-Length: 0
Content-Type: text/html; charset=utf-8
Date: Tue, 06 Sep 2016 13:36:22 GMT
Server: Werkzeug/0.11.11 Python/2.7.9

However, with version 3.x it does not return the Access-Control-Allow-Headers header because there was no case-sensitive match.

$ http OPTIONS :5000 Origin:http://localhost:5001 Access-Control-Request-Headers:'authorization, Content-type' Access-Control-Request-Method:GET
OPTIONS / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Access-Control-Request-Headers: authorization, Content-type
Access-Control-Request-Method: GET
Connection: keep-alive
Content-Length: 0
Host: localhost:5000
Origin: http://localhost:5001
User-Agent: HTTPie/0.9.3

HTTP/1.0 200 OK
Access-Control-Allow-Methods: DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT
Access-Control-Allow-Origin: http://localhost:5001
Allow: HEAD, GET, POST, OPTIONS
Content-Length: 0
Content-Type: text/html; charset=utf-8
Date: Tue, 06 Sep 2016 13:39:34 GMT
Server: Werkzeug/0.11.11 Python/2.7.9

This breaks CORS on most browsers including Chrome and Firefox. However, not on IE apparently.

@corydolphin
Copy link
Owner

Headers should be case insensitive, this is a bad bug. Good catch. I will fix this tonight.

@satterly
Copy link
Author

satterly commented Sep 8, 2016

Thanks for the quick fix. I can confirm this works for me.

@corydolphin
Copy link
Owner

@satterly glad to hear it!

Thanks a lot for taking the time to make such a detailed report, it made it much easier to fix :-)

Let me know if you have any other feedback around this package :-)

@satterly
Copy link
Author

satterly commented Sep 9, 2016

You're welcome. I know what it's like trying to bugfix based on other people's Github issues.

As for feedback, some more debug logging would have helped me with this. But now that it's fixed I'm not sure it's worth spending much more time on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants