Do not merge XHR preflight and response headers

Fixes #2592.

lib/jsdom/living/xhr-utils.js

@@ -46,12 +46,6 @@ function updateRequestHeader(requestHeaders, header, newValue) {
   }
 }
 
-function mergeHeaders(lhs, rhs) {
-  const rhsParts = rhs.split(",");
-  const lhsParts = lhs.split(",");
-  return rhsParts.concat(lhsParts.filter(p => rhsParts.indexOf(p) < 0)).join(",");
-}
-
 function dispatchError(xhr) {
   const errMessage = xhr[xhrSymbols.properties].error;
   requestErrorSteps(xhr, "error", new DOMException(errMessage, "NetworkError"));
@@ -369,16 +363,7 @@ function createClient(xhr) {
         return;
       }
       const realClient = doRequest();
-      realClient.on("response", res => {
-        for (const header in resp.headers) {
-          if (preflightHeaders.has(header)) {
-            res.headers[header] = Object.prototype.hasOwnProperty.call(res.headers, header) ?
-                                  mergeHeaders(res.headers[header], resp.headers[header]) :
-                                  resp.headers[header];
-          }
-        }
-        client.emit("response", res);
-      });
+      realClient.on("response", res => client.emit("response", res));
       realClient.on("data", chunk => client.emit("data", chunk));
       realClient.on("end", () => client.emit("end"));
       realClient.on("abort", () => client.emit("abort"));

test/to-port-to-wpts/cors.js

@@ -25,10 +25,16 @@ function createCORSServer() {
         res.end();
       } else if (Object.prototype.hasOwnProperty.call(routes, req.url)) {
         const route = routes[req.url];
-        res.writeHead(200, { "Content-Length": route.length });
+        res.writeHead(200, {
+          "Content-Length": route.length,
+          "Access-Control-Allow-Origin": "*"
+        });
         res.end(route);
       } else {
-        res.writeHead(200, { "Content-Length": 0 });
+        res.writeHead(200, {
+          "Content-Length": 0,
+          "Access-Control-Allow-Origin": "*"
+        });
         res.end();
       }
     }, 200);

test/web-platform-tests/to-upstream/xhr/access-control-preflight-request-header-returns-origin.html

@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Access-Control-Request-Origin accept different origin between preflight and actual request</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script>
+"use strict";
+
+async_test(t => {
+  const xhr = new XMLHttpRequest();
+
+  xhr.open("GET", corsURL("resources/access-control-preflight-request-header-returns-origin.py"));
+
+  xhr.setRequestHeader("X-Test", "foobar");
+
+  xhr.onerror = t.unreached_func("Error occurred.");
+
+  xhr.onload = t.step_func_done(() => {
+    assert_equals(xhr.status, 200);
+    assert_equals(xhr.responseText, "PASS");
+  });
+
+  xhr.send();
+});
+
+function corsURL(path) {
+  const url = new URL(path, location.href);
+  url.hostname = "www1." + url.hostname;
+  return url.href;
+}
+</script>

test/web-platform-tests/to-upstream/xhr/resources/access-control-preflight-request-header-returns-origin.py

@@ -0,0 +1,12 @@
+def main(request, response):
+    if request.method == "OPTIONS":
+        response.headers.set("Access-Control-Allow-Origin", request.headers.get('origin'))
+        response.headers.set("Access-Control-Allow-Headers", "X-Test")
+        response.status = 200
+    elif request.method == "GET":
+        response.headers.set("Access-Control-Allow-Origin", "*")
+        if request.headers.get("X-Test"):
+            response.headers.set("Content-Type", "text/plain")
+            response.content = "PASS"
+        else:
+            response.status = 400