[
https://issues.apache.org/jira/browse/COUCHDB-1922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13816327#comment-13816327
]
ASF subversion and git services commented on COUCHDB-1922:
----------------------------------------------------------
Commit a9486d2668939fb87a7298d31a7717be0d1912cc in branch
refs/heads/1922-cors-reduce-headers from [~chewbranca]
[ https://git-wip-us.apache.org/repos/asf?p=couchdb.git;h=a9486d2 ]
COUCHDB-1922: fix CORS exposed headers
> CORS bug with reduce_headers and ?SIMPLE_HEADERS
> ------------------------------------------------
>
> Key: COUCHDB-1922
> URL: https://issues.apache.org/jira/browse/COUCHDB-1922
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Reporter: Russell Branca
>
> The current implementation of couch_httpd_cors:reduce_headers0/3 has a bug in
> matching against couch_httpd_cors:member_nocase/2, where the atom `true`
> should actually be the atom `false`: [1].
> This currently has the effect of never removing the disallowed elements from
> the list, as desired. The immediate fix of `s/true/false/` on that line
> breaks two additional tests that expect the "Server" header to be passed
> through to the response, because "Server" is not in the list
> `?SIMPLE_HEADERS` [2], nor should it be as per the spec [3].
> We'll want to construct a list of allowed headers that is the union of the
> simple headers and the allowed CouchDB headers, like "Server".
> [1]
> https://github.com/apache/couchdb/blob/master/src/couchdb/couch_httpd_cors.erl#L248
> [2]
> https://github.com/apache/couchdb/blob/master/src/couchdb/couch_httpd_cors.erl#L35-L37
> [3] http://www.w3.org/TR/cors/#simple-header
--
This message was sent by Atlassian JIRA
(v6.1#6144)
