Russell Branca created COUCHDB-1922:
---------------------------------------
Summary: CORS bug with reduce_headers and ?SIMPLE_HEADERS
Key: COUCHDB-1922
URL: https://issues.apache.org/jira/browse/COUCHDB-1922
Project: CouchDB
Issue Type: Bug
Components: HTTP Interface
Reporter: Russell Branca
The current implementation of couch_httpd_cors:reduce_headers0/3 has a bug in
matching against couch_httpd_cors:member_nocase/2, where the atom `true` should
actually be the atom `false`: [1].
This currently has the effect of never removing the disallowed elements from
the list, as desired. The immediate fix of `s/true/false/` on that line breaks
two additional tests that expect the "Server" header to be passed through to
the response, because "Server" is not in the list `?SIMPLE_HEADERS` [2], nor
should it be as per the spec [3].
We'll want to construct a list of allowed headers that is the union of the
simple headers and the allowed CouchDB headers, like "Server".
[1]
https://github.com/apache/couchdb/blob/master/src/couchdb/couch_httpd_cors.erl#L248
[2]
https://github.com/apache/couchdb/blob/master/src/couchdb/couch_httpd_cors.erl#L35-L37
[3] http://www.w3.org/TR/cors/#simple-header
--
This message was sent by Atlassian JIRA
(v6.1#6144)
