Do not return Access-Control-Allow-Headers on Non-Preflight Cors requests

Motivation: The CorsHandler currently returns the Access-Control-Allow-Headers header as on a Non-Preflight CORS request (Simple request). As per the CORS specification the Access-Control-Allow-Headers header should only be returned on Preflight requests. (not on simple requests). https://www.w3.org/TR/2014/REC-cors-20140116/#access-control-allow-headers-response-header http://www.html5rocks.com/static/images/cors_server_flowchart.png Modifications: Modified CorsHandler.java to not add the Access-Control-Allow-Headers header when responding to Non-preflight CORS request. Result: Access-Control-Allow-Headers header will not be returned on a Simple request (Non-preflight CORS request).
2016-08-15 13:22:15 -04:00 · 2016-08-15 13:22:15 -04:00 · c9a8e4848c
commit c9a8e4848c
parent 44b87a4b1c
2 changed files with 5 additions and 1 deletions
--- a/codec-http/src/main/java/io/netty/handler/codec/http/cors/CorsHandler.java
+++ b/codec-http/src/main/java/io/netty/handler/codec/http/cors/CorsHandler.java
@ -187,7 +187,6 @@ public class CorsHandler extends ChannelDuplexHandler {
            final HttpResponse response = (HttpResponse) msg;
            if (setOrigin(response)) {
                setAllowCredentials(response);
-                setAllowHeaders(response);
                setExposeHeaders(response);
            }
        }
--- a/codec-http/src/test/java/io/netty/handler/codec/http/cors/CorsHandlerTest.java
+++ b/codec-http/src/test/java/io/netty/handler/codec/http/cors/CorsHandlerTest.java
@ -48,6 +48,7 @@ public class CorsHandlerTest {
    public void simpleRequestWithAnyOrigin() {
        final HttpResponse response = simpleRequest(CorsConfig.withAnyOrigin().build(), "http://localhost:7777");
        assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is("*"));
+        assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_HEADERS), is(nullValue()));
    }

    @Test
@ -55,6 +56,7 @@ public class CorsHandlerTest {
        final String origin = "http://localhost:8888";
        final HttpResponse response = simpleRequest(CorsConfig.withOrigin(origin).build(), origin);
        assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is(origin));
+        assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_HEADERS), is(nullValue()));
    }

    @Test
@ -64,8 +66,10 @@ public class CorsHandlerTest {
        final String[] origins = {origin1, origin2};
        final HttpResponse response1 = simpleRequest(CorsConfig.withOrigins(origins).build(), origin1);
        assertThat(response1.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is(origin1));
+        assertThat(response1.headers().get(ACCESS_CONTROL_ALLOW_HEADERS), is(nullValue()));
        final HttpResponse response2 = simpleRequest(CorsConfig.withOrigins(origins).build(), origin2);
        assertThat(response2.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is(origin2));
+        assertThat(response2.headers().get(ACCESS_CONTROL_ALLOW_HEADERS), is(nullValue()));
    }

    @Test
@ -73,6 +77,7 @@ public class CorsHandlerTest {
        final String origin = "http://localhost:8888";
        final HttpResponse response = simpleRequest(CorsConfig.withOrigins("https://localhost:8888").build(), origin);
        assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is(nullValue()));
+        assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_HEADERS), is(nullValue()));
    }

    @Test