From a51ce02f335498d7a96ba25d8b4a7236e392a09a Mon Sep 17 00:00:00 2001
From: Nathan Fairhurst <nathan.p3pictures@gmail.com>
Date: Sat, 14 Jul 2018 11:33:15 -0700
Subject: [PATCH] Simplify and fix an issue with the cors implementation.  This
 defers more to the corser middleware that's already in use to reduce code and
 chances for error.  This also fixes an issue where disallowed headers would
 be allowed.

---
 lib/http-server.js       | 16 +++++++---------
 test/http-server-test.js | 27 ++++++++++++++++++++++++---
 2 files changed, 31 insertions(+), 12 deletions(-)

diff --git a/lib/http-server.js b/lib/http-server.js
index 7e3e06df1..8926001bf 100644
--- a/lib/http-server.js
+++ b/lib/http-server.js
@@ -67,15 +67,13 @@ function HttpServer(options) {
   });
 
   if (options.cors) {
-    this.headers['Access-Control-Allow-Origin'] = '*';
-    this.headers['Access-Control-Allow-Headers'] = 'Origin, X-Requested-With, Content-Type, Accept, Range';
-    if (options.corsHeaders) {
-      options.corsHeaders.split(/\s*,\s*/)
-          .forEach(function (h) { this.headers['Access-Control-Allow-Headers'] += ', ' + h; }, this);
-    }
-    before.push(corser.create(options.corsHeaders ? {
-      requestHeaders: this.headers['Access-Control-Allow-Headers'].split(/\s*,\s*/)
-    } : null));
+    var allowedHeaders =
+      ['Origin', 'X-Requested-With', 'Content-Type', 'Accept', 'Range']
+        .concat(options.corsHeaders ? options.corsHeaders.split(', ') : []);
+
+    before.push(corser.create({
+      requestHeaders: allowedHeaders
+    }));
   }
 
   if (options.robots) {
diff --git a/test/http-server-test.js b/test/http-server-test.js
index e64f04e1d..e0f41f5dd 100644
--- a/test/http-server-test.js
+++ b/test/http-server-test.js
@@ -135,7 +135,27 @@ vows.describe('http-server').addBatch({
       server.listen(8082);
       this.callback(null, server);
     },
-    'and given OPTIONS request': {
+    'and given OPTIONS request with an allowed (and custom) header': {
+      topic: function () {
+        request({
+          method: 'OPTIONS',
+          uri: 'http://127.0.0.1:8082/',
+          headers: {
+            'Access-Control-Request-Method': 'GET',
+            Origin: 'http://example.com',
+            'Access-Control-Request-Headers': 'X-Test'
+          }
+        }, this.callback);
+      },
+      'status code should be 204': function (err, res) {
+        assert.equal(res.statusCode, 204);
+      },
+      'response Access-Control-Allow-Headers should contain X-Test and allow the origin': function (err, res) {
+        assert.ok(/\bX-Test\b/i.test(res.headers['access-control-allow-headers']));
+        assert.ok(res.headers['access-control-allow-origin'] === '*');
+      }
+    },
+    'and given OPTIONS request with a disallowed header': {
       topic: function () {
         request({
           method: 'OPTIONS',
@@ -150,8 +170,9 @@ vows.describe('http-server').addBatch({
       'status code should be 204': function (err, res) {
         assert.equal(res.statusCode, 204);
       },
-      'response Access-Control-Allow-Headers should contain X-Test': function (err, res) {
-        assert.ok(res.headers['access-control-allow-headers'].split(/\s*,\s*/g).indexOf('X-Test') >= 0, 204);
+      'Should not allow the origin': function (err, res) {
+        assert.ok(res.headers['access-control-allow-headers'] === undefined);
+        assert.ok(res.headers['access-control-allow-origin'] === undefined);
       }
     }
   }