Merge pull request #347 from justinmchase/fix/346-handle-empty-acrh

Handle the case where the access-control-request-header is not provided
jamhall · Dec 3, 2018 · 2ec958a · 2ec958a
2 parents 80ad50c + 23b752a
commit 2ec958a
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 3 deletions.
diff --git a/lib/cors.js b/lib/cors.js
@@ -86,9 +86,10 @@ module.exports = function cors(config) {
         return res.status(403).send(template);
       }
 
-      const requestHeaders = (
-        req.get("access-control-request-headers") || ""
-      ).split(",");
+      const requestHeaders = req.get("access-control-request-headers")
+        ? req.get("access-control-request-headers").split(",")
+        : [];
+
       const allowedHeaders = matchedRule
         ? requestHeaders
             .map(header => header.trim().toLowerCase())

diff --git a/test/test.js b/test/test.js
@@ -1302,6 +1302,37 @@ describe("S3rver CORS Policy Tests", function() {
       expect(error).to.exist;
     }
   });
+
+  it("should respond correctly to OPTIONS requests that dont specify access-control-request-headers", function*() {
+    const origin = "http://a-test.example.com";
+    const params = { Bucket: bucket, Key: "image" };
+    const url = s3Client.getSignedUrl("getObject", params);
+    let server;
+    yield thunkToPromise(done => {
+      server = new S3rver({
+        port: 4569,
+        silent: true,
+        cors: fs.readFileSync("./test/resources/cors_test1.xml")
+      }).run(done);
+    });
+    let error;
+    try {
+      yield request({
+        method: "OPTIONS",
+        url,
+        headers: {
+          origin,
+          "Access-Control-Request-Method": "GET"
+          // No Access-Control-Request-Headers specified...
+        }
+      });
+    } catch (err) {
+      error = err;
+    } finally {
+      yield thunkToPromise(done => server.close(done));
+      expect(error).to.not.exist;
+    }
+  });
 });
 
 describe("S3rver Tests with Static Web Hosting", function() {