Don't duplicate CORS headers

Fixes #6182
hashicorp · Feb 11, 2019 · c4c317f · c4c317f
1 parent a0ede31
commit c4c317f
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/vault/cors.go b/vault/cors.go
@@ -108,7 +108,7 @@ func (c *CORSConfig) Enable(ctx context.Context, urls []string, headers []string
 	c.AllowedOrigins = urls
 
 	// Start with the standard headers to Vault accepts.
-	c.AllowedHeaders = append(c.AllowedHeaders, StdAllowedHeaders...)
+	c.AllowedHeaders = append([]string{}, StdAllowedHeaders...)
 
 	// Allow the user to add additional headers to the list of
 	// headers allowed on cross-origin requests.

diff --git a/vault/logical_system_test.go b/vault/logical_system_test.go
@@ -94,6 +94,25 @@ func TestSystemConfigCORS(t *testing.T) {
 		t.Fatalf("bad: %#v", actual)
 	}
 
+	// Do it again. Bug #6182
+	req = logical.TestRequest(t, logical.UpdateOperation, "config/cors")
+	req.Data["allowed_origins"] = "http://www.example.com"
+	req.Data["allowed_headers"] = "X-Custom-Header"
+	_, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req = logical.TestRequest(t, logical.ReadOperation, "config/cors")
+	actual, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	if !reflect.DeepEqual(actual, expected) {
+		t.Fatalf("bad: %#v", actual)
+	}
+
 	req = logical.TestRequest(t, logical.DeleteOperation, "config/cors")
 	_, err = b.HandleRequest(namespace.RootContext(nil), req)
 	if err != nil {