diff --git a/src/middleware/cors.rs b/src/middleware/cors.rs index 11d69a8ac..a61727409 100644 --- a/src/middleware/cors.rs +++ b/src/middleware/cors.rs @@ -839,21 +839,7 @@ impl CorsBuilder { if !self.expose_hdrs.is_empty() { cors.expose_hdrs = Some( self.expose_hdrs.iter() - .fold(String::new(), |s, v| { - let header = v.as_str().split('-') - .fold(String::new(), |h, w| { - let cap = w.chars() - .next() - .unwrap() - .to_uppercase() - .collect::(); - - format!("{}-{}{}", &h, &cap, &w[1..]) - })[1..] - .to_owned(); - - format!("{}, {}", s, header) - })[2..] + .fold(String::new(), |s, v| format!("{}, {}", s, v.as_str()))[2..] .to_owned() ); } @@ -1086,13 +1072,14 @@ mod tests { #[test] fn test_response() { + let exposed_headers = vec![header::AUTHORIZATION, header::ACCEPT]; let cors = Cors::build() .send_wildcard() .disable_preflight() .max_age(3600) .allowed_methods(vec![Method::GET, Method::OPTIONS, Method::POST]) - .allowed_headers(vec![header::AUTHORIZATION, header::ACCEPT]) - .expose_headers(vec![header::AUTHORIZATION, header::ACCEPT]) + .allowed_headers(exposed_headers.clone()) + .expose_headers(exposed_headers.clone()) .allowed_header(header::CONTENT_TYPE) .finish(); @@ -1109,18 +1096,26 @@ mod tests { .unwrap() .as_bytes() ); - assert_eq!( - &b"Authorization, Accept"[..], - resp.headers() - .get(header::ACCESS_CONTROL_EXPOSE_HEADERS) - .unwrap() - .as_bytes() - ); assert_eq!( &b"Origin"[..], resp.headers().get(header::VARY).unwrap().as_bytes() ); + { + let headers = resp.headers() + .get(header::ACCESS_CONTROL_EXPOSE_HEADERS) + .unwrap() + .to_str() + .unwrap() + .split(',') + .map(|s| s.trim()) + .collect::>(); + + for h in exposed_headers { + assert!(headers.contains(&h.as_str())); + } + } + let resp: HttpResponse = HttpResponse::Ok().header(header::VARY, "Accept").finish(); let resp = cors.response(&req, resp).unwrap().response();