From 15761fb48e4c56be09167cb8f9b761114593b651 Mon Sep 17 00:00:00 2001
From: laggardkernel <laggardkernel@users.noreply.github.com>
Date: Sun, 13 Jun 2021 23:59:17 +0800
Subject: [PATCH] Deduplicate failure text in CORS preflight response (#1199)

Co-authored-by: Jamie Hewland <jhewland@gmail.com>
---
 starlette/middleware/cors.py  |  1 +
 tests/middleware/test_cors.py | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/starlette/middleware/cors.py b/starlette/middleware/cors.py
index 0b3f505e7..c850579c8 100644
--- a/starlette/middleware/cors.py
+++ b/starlette/middleware/cors.py
@@ -129,6 +129,7 @@ def preflight_response(self, request_headers: Headers) -> Response:
             for header in [h.lower() for h in requested_headers.split(",")]:
                 if header.strip() not in self.allow_headers:
                     failures.append("headers")
+                    break
 
         # We don't strictly need to use 400 responses here, since its up to
         # the browser to enforce the CORS policy, but its more informative
diff --git a/tests/middleware/test_cors.py b/tests/middleware/test_cors.py
index 7a250a241..266ebca5b 100644
--- a/tests/middleware/test_cors.py
+++ b/tests/middleware/test_cors.py
@@ -179,6 +179,16 @@ def homepage(request):
     assert response.text == "Disallowed CORS origin, method, headers"
     assert "access-control-allow-origin" not in response.headers
 
+    # Bug specific test, https://github.com/encode/starlette/pull/1199
+    # Test preflight response text with multiple disallowed headers
+    headers = {
+        "Origin": "https://example.org",
+        "Access-Control-Request-Method": "GET",
+        "Access-Control-Request-Headers": "X-Nope-1, X-Nope-2",
+    }
+    response = client.options("/", headers=headers)
+    assert response.text == "Disallowed CORS headers"
+
 
 def test_preflight_allows_request_origin_if_origins_wildcard_and_credentials_allowed():
     app = Starlette()