diff --git a/src/Microsoft.AspNet.Cors.Core/CorsService.cs b/src/Microsoft.AspNet.Cors.Core/CorsService.cs index bcc09e6cb0..f9a2d6ea8e 100644 --- a/src/Microsoft.AspNet.Cors.Core/CorsService.cs +++ b/src/Microsoft.AspNet.Cors.Core/CorsService.cs @@ -97,7 +97,8 @@ namespace Microsoft.AspNet.Cors.Core if (!policy.AllowAnyHeader && requestHeaders != null && - !requestHeaders.All(header => policy.Headers.Contains(header, StringComparer.Ordinal))) + !requestHeaders.All(header => CorsConstants.SimpleRequestHeaders.Contains(header, StringComparer.OrdinalIgnoreCase) || + policy.Headers.Contains(header, StringComparer.OrdinalIgnoreCase))) { return; } diff --git a/test/Microsoft.AspNet.Cors.Core.Test/CorsServiceTests.cs b/test/Microsoft.AspNet.Cors.Core.Test/CorsServiceTests.cs index cd2400db0b..e32e322b4b 100644 --- a/test/Microsoft.AspNet.Cors.Core.Test/CorsServiceTests.cs +++ b/test/Microsoft.AspNet.Cors.Core.Test/CorsServiceTests.cs @@ -397,7 +397,7 @@ namespace Microsoft.AspNet.Cors.Core.Test method: "OPTIONS", origin: "http://example.com", accessControlRequestMethod: "PUT", - accessControlRequestHeaders: new[] { "Content-Type" }); + accessControlRequestHeaders: new[] { "content-type", "accept" }); var policy = new CorsPolicy(); policy.Origins.Add(CorsConstants.AnyOrigin); policy.Methods.Add("*"); @@ -409,8 +409,8 @@ namespace Microsoft.AspNet.Cors.Core.Test var result = corsService.EvaluatePolicy(requestContext, policy); // Assert - Assert.Equal(1, result.AllowedHeaders.Count); - Assert.Contains("Content-Type", result.AllowedHeaders); + Assert.Equal(2, result.AllowedHeaders.Count); + Assert.Contains("Content-Type", result.AllowedHeaders, StringComparer.OrdinalIgnoreCase); } [Fact]