summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRussell Branca <chewbranca@gmail.com>2013-11-07 11:34:58 -0800
committerRussell Branca <chewbranca@gmail.com>2013-11-07 11:41:50 -0800
commit4f619833695abb38b25d670c88bfdf9324c79f40 (patch)
tree2c0bbf7c28a73e803e2e0ee3a62811bff497c361
parent6ee2e7204ee9625ec6ce299db7a0ac2a388d59a0 (diff)
downloadcouchdb-4f619833695abb38b25d670c88bfdf9324c79f40.tar.gz
COUCHDB-1922: fix CORS exposed headers
-rw-r--r--src/couchdb/couch_httpd_cors.erl8
-rw-r--r--test/etap/231-cors.t2
2 files changed, 6 insertions, 4 deletions
diff --git a/src/couchdb/couch_httpd_cors.erl b/src/couchdb/couch_httpd_cors.erl
index 91fe1aec0..d9462d1a1 100644
--- a/src/couchdb/couch_httpd_cors.erl
+++ b/src/couchdb/couch_httpd_cors.erl
@@ -35,6 +35,8 @@
% as defined in http://www.w3.org/TR/cors/#terminology
-define(SIMPLE_HEADERS, ["Cache-Control", "Content-Language",
"Content-Type", "Expires", "Last-Modified", "Pragma"]).
+-define(ALLOWED_HEADERS, lists:sort(["Server", "Etag",
+ "Accept-Ranges" | ?SIMPLE_HEADERS])).
-define(SIMPLE_CONTENT_TYPE_VALUES, ["application/x-www-form-urlencoded",
"multipart/form-data", "text/plain"]).
@@ -212,7 +214,7 @@ maybe_apply_cors_headers(CorsHeaders, RequestHeaders0) ->
% return: RequestHeaders ++ CorsHeaders ++ ACEH
RequestHeaders = [K || {K,_V} <- RequestHeaders0],
- ExposedHeaders0 = reduce_headers(RequestHeaders, ?SIMPLE_HEADERS),
+ ExposedHeaders0 = reduce_headers(RequestHeaders, ?ALLOWED_HEADERS),
% here we may have not moved Content-Type into ExposedHeaders,
% now we need to check whether the Content-Type valus is
@@ -242,10 +244,10 @@ reduce_headers(A, B) ->
reduce_headers0(A, B, []).
reduce_headers0([], _B, Result) ->
- Result;
+ lists:sort(Result);
reduce_headers0([ElmA|RestA], B, Result) ->
R = case member_nocase(ElmA, B) of
- true -> Result;
+ false -> Result;
_Else -> [ElmA | Result]
end,
reduce_headers0(RestA, B, R).
diff --git a/test/etap/231-cors.t b/test/etap/231-cors.t
index ce5274792..ec17526b2 100644
--- a/test/etap/231-cors.t
+++ b/test/etap/231-cors.t
@@ -219,7 +219,7 @@ test_db_request(VHost) ->
"http://example.com",
"db Access-Control-Allow-Origin ok"),
etap:is(proplists:get_value("Access-Control-Expose-Headers", RespHeaders),
- "Content-Type, Server",
+ "Cache-Control, Content-Type, Server",
"db Access-Control-Expose-Headers ok");
_ ->
etap:is(false, true, "ibrowse failed")