from starlette.types import ASGIApp, Message, Receive, Scope, Send
ALL_METHODS = ("DELETE", "GET", "OPTIONS", "PATCH", "POST", "PUT")
-SAFELISTED_HEADERS = {"accept", "accept-language", "content-language", "content-type"}
+SAFELISTED_HEADERS = {"Accept", "Accept-Language", "Content-Language", "Content-Type"}
class CORSMiddleware:
"Access-Control-Max-Age": str(max_age),
}
)
- allow_headers = SAFELISTED_HEADERS | set([h.lower for h in allow_headers])
+ allow_headers = sorted(SAFELISTED_HEADERS | set(allow_headers))
if allow_headers and "*" not in allow_headers:
preflight_headers["Access-Control-Allow-Headers"] = ", ".join(allow_headers)
if allow_credentials:
self.app = app
self.allow_origins = allow_origins
self.allow_methods = allow_methods
- self.allow_headers = allow_headers
+ self.allow_headers = [h.lower() for h in allow_headers]
self.allow_all_origins = "*" in allow_origins
self.allow_all_headers = "*" in allow_headers
self.allow_origin_regex = compiled_allow_origin_regex
assert response.status_code == 200
assert response.text == "OK"
assert response.headers["access-control-allow-origin"] == "https://example.org"
- assert response.headers["access-control-allow-headers"] == "X-Example, Content-Type"
+ assert response.headers["access-control-allow-headers"] == (
+ "Accept, Accept-Language, Content-Language, Content-Type, X-Example"
+ )
# Test standard response
headers = {"Origin": "https://example.org"}
assert response.status_code == 200
assert response.text == "OK"
assert response.headers["access-control-allow-origin"] == "https://another.com"
- assert response.headers["access-control-allow-headers"] == "X-Example, Content-Type"
+ assert response.headers["access-control-allow-headers"] == (
+ "Accept, Accept-Language, Content-Language, Content-Type, X-Example"
+ )
# Test disallowed pre-flight response
headers = {
projects / thirdparty / starlette.git / commitdiff
