Merge pull request #422 from spoof/master

Fix parsing of 'Access-Control-Request-Headers' header
Cornices · Dec 14, 2016 · 3b4c0ae · 3b4c0ae
2 parents 33de169 + aa7f7ff
commit 3b4c0ae
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 3 deletions.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -6,7 +6,11 @@ CHANGELOG
 2.3.0 (unreleased)
 ==================
 
-- Nothing changed yet.
+**Bug fixes**
+
+- Fix ``cornice.cors.get_cors_preflight_view`` to make it parse
+  `Access-Control-Request-Headers` header correctly event if its value
+  contains zero number of white spaces between commas (#422)
 
 
 2.2.0 (2016-11-25)

diff --git a/CONTRIBUTORS.txt b/CONTRIBUTORS.txt
@@ -81,3 +81,4 @@ Cornice:
 * Vincent Fretin <vincent.fretin@gmail.com>
 * Ymage <o2heltem@gmail.com>
 * Volodymyr Maksymiv <vmaksymiv@quintagroup.com>
+* Sergey Safonov <spoof@spoofa.info>
diff --git a/cornice/cors.py b/cornice/cors.py
@@ -39,7 +39,7 @@ def _preflight_view(request):
             request.headers.get('Access-Control-Request-Headers', ()))
 
         if requested_headers:
-            requested_headers = map(str.strip, requested_headers.split(', '))
+            requested_headers = map(str.strip, requested_headers.split(','))
 
         if requested_method not in service.cors_supported_methods:
             request.errors.add('header', 'Access-Control-Request-Method',

diff --git a/tests/test_cors.py b/tests/test_cors.py
@@ -68,6 +68,12 @@ def moar_spam(request):
     return 'moar spam'
 
 
+@eggs.get(cors_origins=('notmyidea.org',),
+          cors_headers=('X-My-Header', 'X-Another-Header', 'X-Another-Header2'))
+def get_eggs(request):
+    return "eggs"
+
+
 def is_bacon_good(request, **kwargs):
     if not request.matchdict['type'].endswith('good'):
         request.errors.add('querystring', 'type', 'should be better!')
@@ -278,11 +284,24 @@ def test_preflight_request_headers_are_included(self):
         self.assertIn('baz', headers)
 
     def test_preflight_request_headers_isnt_too_permissive(self):
+        # The specification says we can have any number of LWS (Linear white
+        # spaces) in the values.
+        self.app.options(
+            '/eggs', headers={
+                'Origin': 'notmyidea.org',
+                'Access-Control-Request-Method': 'GET',
+                'Access-Control-Request-Headers': (
+                    '  X-My-Header  ,X-Another-Header,   X-Another-Header2 '
+                )},
+            status=200)
+
         self.app.options(
             '/eggs', headers={
                 'Origin': 'notmyidea.org',
                 'Access-Control-Request-Method': 'GET',
-                'Access-Control-Request-Headers': 'foo,bar,baz'},
+                'Access-Control-Request-Headers': (
+                    'X-My-Header   ,baz ,  X-Another-Header  '
+                )},
             status=400)
 
     def test_preflight_headers_arent_case_sensitive(self):