From 8ad85fc70f7db4dc6b2c1f85890fe016992ba76b Mon Sep 17 00:00:00 2001
From: Vasilis Gerakaris <vasilis.gerakaris@navarino.gr>
Date: Fri, 27 Mar 2020 17:02:28 +0200
Subject: [PATCH] Add safelisted request headers to CORSMiddleware

See https://fetch.spec.whatwg.org/#cors-safelisted-request-header
---
 starlette/middleware/cors.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/starlette/middleware/cors.py b/starlette/middleware/cors.py
index 90ba1801..76c5814f 100644
--- a/starlette/middleware/cors.py
+++ b/starlette/middleware/cors.py
@@ -7,6 +7,7 @@ from starlette.responses import PlainTextResponse, Response
 from starlette.types import ASGIApp, Message, Receive, Scope, Send
 
 ALL_METHODS = ("DELETE", "GET", "OPTIONS", "PATCH", "POST", "PUT")
+SAFELISTED_HEADERS = {"accept", "accept-language", "content-language", "content-type"}
 
 
 class CORSMiddleware:
@@ -48,7 +49,8 @@ class CORSMiddleware:
                 "Access-Control-Max-Age": str(max_age),
             }
         )
-        if allow_headers and "*" not in allow_headers:
+        allow_headers = SAFELISTED_HEADERS | set([h.lower for h in allow_headers])
+        if allow_headers and "*" not in allowed_headers:
             preflight_headers["Access-Control-Allow-Headers"] = ", ".join(allow_headers)
         if allow_credentials:
             preflight_headers["Access-Control-Allow-Credentials"] = "true"
@@ -56,7 +58,7 @@ class CORSMiddleware:
         self.app = app
         self.allow_origins = allow_origins
         self.allow_methods = allow_methods
-        self.allow_headers = [h.lower() for h in allow_headers]
+        self.allow_headers = allow_headers
         self.allow_all_origins = "*" in allow_origins
         self.allow_all_headers = "*" in allow_headers
         self.allow_origin_regex = compiled_allow_origin_regex
-- 
2.47.2