Prevent duplicated Vary headers in CORS processing
Closes gh-24829
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2019 the original author or authors.
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -401,4 +401,16 @@ public class DefaultCorsProcessorTests {
|
||||
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preventDuplicatedVaryHeaders() throws Exception {
|
||||
this.request.setMethod(HttpMethod.GET.name());
|
||||
this.response.addHeader(HttpHeaders.VARY, HttpHeaders.ORIGIN);
|
||||
this.response.addHeader(HttpHeaders.VARY, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD);
|
||||
this.response.addHeader(HttpHeaders.VARY, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS);
|
||||
|
||||
this.processor.processRequest(this.conf, this.request, this.response);
|
||||
assertThat(this.response.getHeaders(HttpHeaders.VARY)).containsOnlyOnce(HttpHeaders.ORIGIN,
|
||||
HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2019 the original author or authors.
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -421,6 +421,25 @@ public class DefaultCorsProcessorTests {
|
||||
assertThat(response.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void preventDuplicatedVaryHeaders() {
|
||||
MockServerHttpRequest request = MockServerHttpRequest
|
||||
.method(HttpMethod.GET, "http://domain1.example/test.html")
|
||||
.header(HttpHeaders.ORIGIN, "http://domain1.example")
|
||||
.build();
|
||||
ServerWebExchange exchange = MockServerWebExchange.from(request);
|
||||
ServerHttpResponse response = exchange.getResponse();
|
||||
HttpHeaders responseHeaders = response.getHeaders();
|
||||
responseHeaders.add(VARY, ORIGIN);
|
||||
responseHeaders.add(VARY, ACCESS_CONTROL_REQUEST_METHOD);
|
||||
responseHeaders.add(VARY, ACCESS_CONTROL_REQUEST_HEADERS);
|
||||
|
||||
this.processor.process(this.conf, exchange);
|
||||
|
||||
assertThat(responseHeaders.get(VARY)).containsOnlyOnce(ORIGIN,
|
||||
ACCESS_CONTROL_REQUEST_METHOD, ACCESS_CONTROL_REQUEST_HEADERS);
|
||||
}
|
||||
|
||||
|
||||
private ServerWebExchange actualRequest() {
|
||||
return MockServerWebExchange.from(corsRequest(HttpMethod.GET));
|
||||
|
||||
Reference in New Issue
Block a user