From: Vasilis Gerakaris <vasilis.gerakaris@navarino.gr>
Date: Fri, 27 Mar 2020 15:02:28 +0000 (+0200)
Subject: Add safelisted request headers to CORSMiddleware
X-Git-Tag: 0.13.3~5^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F880%2Fhead;p=thirdparty%2Fstarlette.git

Add safelisted request headers to CORSMiddleware

See https://fetch.spec.whatwg.org/#cors-safelisted-request-header
---

diff --git a/starlette/middleware/cors.py b/starlette/middleware/cors.py
index 90ba1801..76c5814f 100644
--- a/starlette/middleware/cors.py
+++ b/starlette/middleware/cors.py
@@ -7,6 +7,7 @@ from starlette.responses import PlainTextResponse, Response
 from starlette.types import ASGIApp, Message, Receive, Scope, Send
 
 ALL_METHODS = ("DELETE", "GET", "OPTIONS", "PATCH", "POST", "PUT")
+SAFELISTED_HEADERS = {"accept", "accept-language", "content-language", "content-type"}
 
 
 class CORSMiddleware:
@@ -48,7 +49,8 @@ class CORSMiddleware:
                 "Access-Control-Max-Age": str(max_age),
             }
         )
-        if allow_headers and "*" not in allow_headers:
+        allow_headers = SAFELISTED_HEADERS | set([h.lower for h in allow_headers])
+        if allow_headers and "*" not in allowed_headers:
             preflight_headers["Access-Control-Allow-Headers"] = ", ".join(allow_headers)
         if allow_credentials:
             preflight_headers["Access-Control-Allow-Credentials"] = "true"
@@ -56,7 +58,7 @@ class CORSMiddleware:
         self.app = app
         self.allow_origins = allow_origins
         self.allow_methods = allow_methods
-        self.allow_headers = [h.lower() for h in allow_headers]
+        self.allow_headers = allow_headers
         self.allow_all_origins = "*" in allow_origins
         self.allow_all_headers = "*" in allow_headers
         self.allow_origin_regex = compiled_allow_origin_regex