diff options
author | Russell Branca <chewbranca@gmail.com> | 2013-11-07 11:34:58 -0800 |
---|---|---|
committer | Russell Branca <chewbranca@gmail.com> | 2013-11-07 11:41:50 -0800 |
commit | 4f619833695abb38b25d670c88bfdf9324c79f40 (patch) | |
tree | 2c0bbf7c28a73e803e2e0ee3a62811bff497c361 | |
parent | 6ee2e7204ee9625ec6ce299db7a0ac2a388d59a0 (diff) | |
download | couchdb-4f619833695abb38b25d670c88bfdf9324c79f40.tar.gz |
COUCHDB-1922: fix CORS exposed headers
-rw-r--r-- | src/couchdb/couch_httpd_cors.erl | 8 | ||||
-rw-r--r-- | test/etap/231-cors.t | 2 |
2 files changed, 6 insertions, 4 deletions
diff --git a/src/couchdb/couch_httpd_cors.erl b/src/couchdb/couch_httpd_cors.erl index 91fe1aec0..d9462d1a1 100644 --- a/src/couchdb/couch_httpd_cors.erl +++ b/src/couchdb/couch_httpd_cors.erl @@ -35,6 +35,8 @@ % as defined in http://www.w3.org/TR/cors/#terminology -define(SIMPLE_HEADERS, ["Cache-Control", "Content-Language", "Content-Type", "Expires", "Last-Modified", "Pragma"]). +-define(ALLOWED_HEADERS, lists:sort(["Server", "Etag", + "Accept-Ranges" | ?SIMPLE_HEADERS])). -define(SIMPLE_CONTENT_TYPE_VALUES, ["application/x-www-form-urlencoded", "multipart/form-data", "text/plain"]). @@ -212,7 +214,7 @@ maybe_apply_cors_headers(CorsHeaders, RequestHeaders0) -> % return: RequestHeaders ++ CorsHeaders ++ ACEH RequestHeaders = [K || {K,_V} <- RequestHeaders0], - ExposedHeaders0 = reduce_headers(RequestHeaders, ?SIMPLE_HEADERS), + ExposedHeaders0 = reduce_headers(RequestHeaders, ?ALLOWED_HEADERS), % here we may have not moved Content-Type into ExposedHeaders, % now we need to check whether the Content-Type valus is @@ -242,10 +244,10 @@ reduce_headers(A, B) -> reduce_headers0(A, B, []). reduce_headers0([], _B, Result) -> - Result; + lists:sort(Result); reduce_headers0([ElmA|RestA], B, Result) -> R = case member_nocase(ElmA, B) of - true -> Result; + false -> Result; _Else -> [ElmA | Result] end, reduce_headers0(RestA, B, R). diff --git a/test/etap/231-cors.t b/test/etap/231-cors.t index ce5274792..ec17526b2 100644 --- a/test/etap/231-cors.t +++ b/test/etap/231-cors.t @@ -219,7 +219,7 @@ test_db_request(VHost) -> "http://example.com", "db Access-Control-Allow-Origin ok"), etap:is(proplists:get_value("Access-Control-Expose-Headers", RespHeaders), - "Content-Type, Server", + "Cache-Control, Content-Type, Server", "db Access-Control-Expose-Headers ok"); _ -> etap:is(false, true, "ibrowse failed") |