From a74235c7ec22c8801619550f7d6a223a08890a9a Mon Sep 17 00:00:00 2001 From: Pranav K Date: Fri, 26 Oct 2018 10:12:00 -0700 Subject: [PATCH] Reflect Access-Control-Request-Headers and Access-Control-Request-Method when policy is configured to support wildcard Fixes https://github.com/aspnet/AspNetCore/issues/3684 --- .../Infrastructure/CorsService.cs | 11 ++++++----- .../CorsServiceTests.cs | 14 +++++++------- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsService.cs b/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsService.cs index 78e2371c78..16670add2c 100644 --- a/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsService.cs +++ b/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsService.cs @@ -139,13 +139,14 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure // https://fetch.spec.whatwg.org/#http-new-header-syntax AddHeaderValues(result.AllowedExposedHeaders, policy.ExposedHeaders); - var allowedMethods = policy.AllowAnyMethod && policy.SupportsCredentials ? - new[] { result.IsPreflightRequest ? (string)context.Request.Headers[CorsConstants.AccessControlRequestMethod] : context.Request.Method } - : policy.Methods; + var allowedMethods = policy.AllowAnyMethod ? + new[] { result.IsPreflightRequest ? (string)context.Request.Headers[CorsConstants.AccessControlRequestMethod] : context.Request.Method } : + policy.Methods; AddHeaderValues(result.AllowedMethods, allowedMethods); - var allowedHeaders = policy.AllowAnyHeader && policy.SupportsCredentials ? - context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestHeaders) : policy.Headers; + var allowedHeaders = policy.AllowAnyHeader ? + context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestHeaders) : + policy.Headers; AddHeaderValues(result.AllowedHeaders, allowedHeaders); } diff --git a/test/Microsoft.AspNetCore.Cors.Test/CorsServiceTests.cs b/test/Microsoft.AspNetCore.Cors.Test/CorsServiceTests.cs index fb47a3f70e..a2ab09d2a0 100644 --- a/test/Microsoft.AspNetCore.Cors.Test/CorsServiceTests.cs +++ b/test/Microsoft.AspNetCore.Cors.Test/CorsServiceTests.cs @@ -433,7 +433,7 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure var result = corsService.EvaluatePolicy(requestContext, policy); // Assert - Assert.Equal(new[] { "*" }, result.AllowedMethods); + Assert.Equal(new[] { "GET" }, result.AllowedMethods); } [Theory] @@ -474,12 +474,12 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure var result = corsService.EvaluatePolicy(requestContext, policy); // Assert - Assert.Equal(new[] { "*" }, result.AllowedHeaders); - Assert.Equal(new[] { "*" }, result.AllowedMethods); + Assert.Empty(result.AllowedHeaders); + Assert.Equal(new[] { "PUT" }, result.AllowedMethods); } [Fact] - public void EvaluatePolicy_PreflightRequest_AllowAllHeaders() + public void EvaluatePolicy_PreflightRequest_AllowAllHeaders_ReflectsRequestHeaders() { // Arrange var corsService = GetCorsService(); @@ -497,8 +497,8 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure var result = corsService.EvaluatePolicy(requestContext, policy); // Assert - Assert.Equal(new[] { "*" }, result.AllowedHeaders); - Assert.Equal(new[] { "*" }, result.AllowedMethods); + Assert.Equal(new[] { "foo", "bar" }, result.AllowedHeaders); + Assert.Equal(new[] { "PUT" }, result.AllowedMethods); } [Fact] @@ -522,7 +522,7 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure // Assert Assert.Equal(new[] { "match", "foo" }, result.AllowedHeaders); - Assert.Equal(new[] { "*" }, result.AllowedMethods); + Assert.Equal(new[] { "PUT" }, result.AllowedMethods); } [Fact]