Uploaded image for project: 'CouchDB'
  1. CouchDB
  2. COUCHDB-1922

CORS bug with reduce_headers and ?SIMPLE_HEADERS

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: HTTP Interface
    • Labels:
      None

      Description

      The current implementation of couch_httpd_cors:reduce_headers0/3 has a bug in matching against couch_httpd_cors:member_nocase/2, where the atom `true` should actually be the atom `false`: [1].

      This currently has the effect of never removing the disallowed elements from the list, as desired. The immediate fix of `s/true/false/` on that line breaks two additional tests that expect the "Server" header to be passed through to the response, because "Server" is not in the list `?SIMPLE_HEADERS` [2], nor should it be as per the spec [3].

      We'll want to construct a list of allowed headers that is the union of the simple headers and the allowed CouchDB headers, like "Server".

      [1] https://github.com/apache/couchdb/blob/master/src/couchdb/couch_httpd_cors.erl#L248
      [2] https://github.com/apache/couchdb/blob/master/src/couchdb/couch_httpd_cors.erl#L35-L37
      [3] http://www.w3.org/TR/cors/#simple-header

        Attachments

          Activity

            People

            • Assignee:
              chewbranca Russell Branca
              Reporter:
              chewbranca Russell Branca
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: