Use single comma separated header for IE compatibility

For the benefit of IE, generate access control headers with comma separated values rather than a header for each value. It appears that at least IE 11 only looks at the first 'Access-Control-Allow-Headers' header.
haarg · Dec 7, 2014 · 69f7b89 · 69f7b89
1 parent 8966662
commit 69f7b89
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 6 deletions.
diff --git a/lib/Plack/Middleware/CrossOrigin.pm b/lib/Plack/Middleware/CrossOrigin.pm
@@ -165,10 +165,8 @@ sub call {
         if (defined $self->max_age) {
             push @headers, 'Access-Control-Max-Age' => $self->max_age;
         }
-        push @headers, 'Access-Control-Allow-Methods' => $_
-            for @$allowed_methods;
-        push @headers, 'Access-Control-Allow-Headers' => $_
-            for @$allowed_headers;
+        push @headers, 'Access-Control-Allow-Methods' => join ', ', @$allowed_methods;
+        push @headers, 'Access-Control-Allow-Headers' => join ', ', @$allowed_headers;
 
         $res = _response_success();
     }
@@ -185,8 +183,7 @@ sub call {
             $expose_headers = [keys %headers];
         }
 
-        push @headers, 'Access-Control-Expose-Headers' => $_
-            for @$expose_headers;
+        push @headers, 'Access-Control-Expose-Headers' => join ', ', @$expose_headers;
 
         push @{ $res->[1] }, @headers;
     });

diff --git a/t/basic.t b/t/basic.t
@@ -240,4 +240,43 @@ test_psgi
         ok ! $has_run, 'continue_on_failure doesn\'t run main app for preflighted request';
     };
 
+{
+   # Test that the access control headers are returned as single headers
+   # with comma-separated values. IE 11 (at least) appears to only evaluate
+   # the first 'Access-Control-Allow-Headers' header.
+   #
+   # We can't use test_psgi for this test because after the PSGI response
+   # is parsed by HTTP::Response we can no longer tell how the headers were
+   # actually formatted.
+   my $app = builder {
+        enable 'CrossOrigin',
+            origins => [ 'http://www.example.com' ],
+            methods => ['GET', 'POST'],
+            headers => ['X-Extra-Header', 'X-Extra-Header-2'],
+            expose_headers => ['X-Exposed-Header', 'X-Exposed-Header2'],
+        ;
+        sub { [ 200, [
+            'Content-Type' => 'text/plain',
+        ], [ 'Hello World' ] ] };
+    };
+
+   my $req = HTTP::Request->new(OPTIONS => 'http://localhost/', [
+      'Access-Control-Request-Method' => 'POST',
+      'Origin' => 'http://www.example.com',
+   ]);
+
+   my $res = $app->($req->to_psgi);
+   is_deeply($res, [
+      200,
+      [
+         'Content-Type'                  => 'text/plain',
+         'Access-Control-Allow-Origin'   => 'http://www.example.com',
+         'Access-Control-Allow-Methods'  => 'GET, POST',
+         'Access-Control-Allow-Headers'  => 'X-Extra-Header, X-Extra-Header-2',
+         'Access-Control-Expose-Headers' => 'X-Exposed-Header, X-Exposed-Header2'
+      ],
+      []
+   ], 'headers returned as comma separated values for the benenfit of IE');
+}
+
 done_testing;