From 74dd1b409f9eaef3887c2996531d53a355cc9943 Mon Sep 17 00:00:00 2001 From: Gil Pedersen Date: Thu, 11 Sep 2014 11:20:12 +0200 Subject: [PATCH] handle empty CORS expose-headers header response --- lib/response/headers.js | 5 ++++- test/response.js | 19 +++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/lib/response/headers.js b/lib/response/headers.js index d2794fd94..97932a166 100755 --- a/lib/response/headers.js +++ b/lib/response/headers.js @@ -104,7 +104,10 @@ internals.cors = function (response, request) { response._header('access-control-max-age', cors.maxAge, { override: false }); response._header('access-control-allow-methods', cors._methods, { override: false }); response._header('access-control-allow-headers', cors._headers, { override: false }); - response._header('access-control-expose-headers', cors._exposedHeaders, { override: false }); + + if (cors._exposedHeaders.length !== 0) { + response._header('access-control-expose-headers', cors._exposedHeaders, { override: false }); + } if (cors.credentials) { response._header('access-control-allow-credentials', 'true', { override: false }); diff --git a/test/response.js b/test/response.js index 06251404d..15ffb1a81 100755 --- a/test/response.js +++ b/test/response.js @@ -380,6 +380,25 @@ describe('Response', function () { }); }); + it('does not set empty CORS expose headers', function (done) { + + var handler = function (request, reply) { + + reply('ok'); + }; + + var server = new Hapi.Server({ cors: { exposedHeaders: [] } }); + server.route({ method: 'GET', path: '/', handler: handler }); + + server.inject({ url: '/' }, function (res) { + expect(res.result).to.exist; + expect(res.result).to.equal('ok'); + expect(res.headers['access-control-allow-methods']).to.exist; + expect(res.headers['access-control-expose-headers']).to.not.exist; + done(); + }); + }); + it('does not set security headers by default', function (done) { var handler = function (request, reply) {