Make preflight request header check case-insensitive #29
Conversation
…request headers Signed-off-by: Norgerman <xyn0410@gmail.com>
|
Hi @Norgerman, I'm your friendly neighborhood .NET Foundation Pull Request Bot (You can call me DNFBOT). Thanks for your contribution! TTYL, DNFBOT; |
|
@Norgerman, Thanks for signing the contribution license agreement so quickly! Actual humans will now validate the agreement and then evaluate the PR. |
Eilon
changed the title
| @@ -97,7 +97,8 @@ public virtual void EvaluatePreflightRequest(HttpContext context, CorsPolicy pol | |||
|
|
|||
| if (!policy.AllowAnyHeader && | |||
| requestHeaders != null && | |||
| !requestHeaders.All(header => policy.Headers.Contains(header, StringComparer.Ordinal))) | |||
| !requestHeaders.All(header => CorsConstants.SimpleRequestHeaders.Contains(header, StringComparer.OrdinalIgnoreCase) || | |||
| policy.Headers.Contains(header, StringComparer.OrdinalIgnoreCase))) | |||
There was a problem hiding this comment.
Is this change correct? This is supposed to be case-sensitive for any header other than non-simple + content-type header, right?...like can you add a test where the header in the request is "version" and the policy is "Version"...this should not match..
|
⌚ |
|
I have tested this use jquery ajax in chrome, Access-Control-Request-Headers are always in lower case. So the server is not able to get Access-Control-Request-Headers values like Version or verSion, the value will always be version. Thanks for your review. |
|
|
|
commit 38728a6 Thanks for the contribution! @Norgerman |
|
👍 |
In jquery ajax(maybe in old versions), the
Access-Control-Request-HeadersinOPTIONSrequest value is lower case and will containsacceptheader which is already inSimpleRequestHeaders