From 7ef4f5ac0b69463e2d616c68f82f5b65c958ed28 Mon Sep 17 00:00:00 2001
From: James <theavitex@gmail.com>
Date: Sun, 5 May 2019 01:41:37 +1000
Subject: [PATCH] Make request headers optional in CORS preflight (#816)

---
 src/middleware/cors.rs | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/src/middleware/cors.rs b/src/middleware/cors.rs
index 6e2ec9d0..bd57c66a 100644
--- a/src/middleware/cors.rs
+++ b/src/middleware/cors.rs
@@ -81,13 +81,6 @@ pub enum CorsError {
         fmt = "The request header `Access-Control-Request-Headers`  has an invalid value"
     )]
     BadRequestHeaders,
-    /// The request header `Access-Control-Request-Headers`  is required but is
-    /// missing.
-    #[display(
-        fmt = "The request header `Access-Control-Request-Headers`  is required but is
-                     missing"
-    )]
-    MissingRequestHeaders,
     /// Origin is not allowed to make this request
     #[display(fmt = "Origin is not allowed to make this request")]
     OriginNotAllowed,
@@ -661,15 +654,18 @@ impl Inner {
                                 Err(_) => return Err(CorsError::BadRequestHeaders),
                             };
                         }
-
-                        if !hdrs.is_empty() && !hdrs.is_subset(allowed_headers) {
-                            return Err(CorsError::HeadersNotAllowed);
+                        // `Access-Control-Request-Headers` must contain 1 or more
+                        // `field-name`.
+                        if !hdrs.is_empty() {
+                            if !hdrs.is_subset(allowed_headers) {
+                                return Err(CorsError::HeadersNotAllowed);
+                            }
+                            return Ok(());
                         }
-                        return Ok(());
                     }
                     Err(CorsError::BadRequestHeaders)
                 } else {
-                    Err(CorsError::MissingRequestHeaders)
+                    return Ok(());
                 }
             }
         }
@@ -874,6 +870,10 @@ mod tests {
 
         let req = TestRequest::with_header("Origin", "https://www.example.com")
             .method(Method::OPTIONS)
+            .header(
+                header::ACCESS_CONTROL_REQUEST_HEADERS,
+                "X-Not-Allowed",
+            )
             .to_srv_request();
 
         assert!(cors.inner.validate_allowed_method(req.head()).is_err());
@@ -887,7 +887,7 @@ mod tests {
             .to_srv_request();
 
         assert!(cors.inner.validate_allowed_method(req.head()).is_err());
-        assert!(cors.inner.validate_allowed_headers(req.head()).is_err());
+        assert!(cors.inner.validate_allowed_headers(req.head()).is_ok());
 
         let req = TestRequest::with_header("Origin", "https://www.example.com")
             .header(header::ACCESS_CONTROL_REQUEST_METHOD, "POST")