Merge remote-tracking branch 'origin/release/2.2' into feature/w-m

src/Microsoft.AspNetCore.Cors/Infrastructure/CorsService.cs

@@ -139,13 +139,14 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
             // https://fetch.spec.whatwg.org/#http-new-header-syntax
             AddHeaderValues(result.AllowedExposedHeaders, policy.ExposedHeaders);
 
-            var allowedMethods = policy.AllowAnyMethod && policy.SupportsCredentials ?
-                new[] { result.IsPreflightRequest ? (string)context.Request.Headers[CorsConstants.AccessControlRequestMethod] : context.Request.Method }
-                : policy.Methods;
+            var allowedMethods = policy.AllowAnyMethod ?
+                new[] { result.IsPreflightRequest ? (string)context.Request.Headers[CorsConstants.AccessControlRequestMethod] : context.Request.Method } :
+                policy.Methods;
             AddHeaderValues(result.AllowedMethods, allowedMethods);
 
-            var allowedHeaders = policy.AllowAnyHeader && policy.SupportsCredentials ?
-                context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestHeaders) : policy.Headers;
+            var allowedHeaders = policy.AllowAnyHeader ?
+                context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestHeaders) :
+                policy.Headers;
             AddHeaderValues(result.AllowedHeaders, allowedHeaders);
         }
 

test/Microsoft.AspNetCore.Cors.Test/CorsServiceTests.cs

@@ -433,7 +433,7 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
             var result = corsService.EvaluatePolicy(requestContext, policy);
 
             // Assert
-            Assert.Equal(new[] { "*" }, result.AllowedMethods);
+            Assert.Equal(new[] { "GET" }, result.AllowedMethods);
         }
 
         [Theory]
@@ -474,12 +474,12 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
             var result = corsService.EvaluatePolicy(requestContext, policy);
 
             // Assert
-            Assert.Equal(new[] { "*" }, result.AllowedHeaders);
-            Assert.Equal(new[] { "*" }, result.AllowedMethods);
+            Assert.Empty(result.AllowedHeaders);
+            Assert.Equal(new[] { "PUT" }, result.AllowedMethods);
         }
 
         [Fact]
-        public void EvaluatePolicy_PreflightRequest_AllowAllHeaders()
+        public void EvaluatePolicy_PreflightRequest_AllowAllHeaders_ReflectsRequestHeaders()
         {
             // Arrange
             var corsService = GetCorsService();
@@ -497,8 +497,8 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
             var result = corsService.EvaluatePolicy(requestContext, policy);
 
             // Assert
-            Assert.Equal(new[] { "*" }, result.AllowedHeaders);
-            Assert.Equal(new[] { "*" }, result.AllowedMethods);
+            Assert.Equal(new[] { "foo", "bar" }, result.AllowedHeaders);
+            Assert.Equal(new[] { "PUT" }, result.AllowedMethods);
         }
 
         [Fact]
@@ -522,7 +522,7 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
 
             // Assert
             Assert.Equal(new[] { "match", "foo" }, result.AllowedHeaders);
-            Assert.Equal(new[] { "*" }, result.AllowedMethods);
+            Assert.Equal(new[] { "PUT" }, result.AllowedMethods);
         }
 
         [Fact]