Diff

plugins/mod_http.lua @ 13069:45caa4e43775

mod_http: Fix reliance on previous tostring() format of util.set a863e4237b91 unintentionally changed the format of HTTP CORS headers, which were apparently relying on the output of tostring(), which it shouldn't have. Explicitly serializing it this time.
author Kim Alvefur <zash@zash.se>
date Mon, 10 Apr 2023 11:50:27 +0200
parent 12977:74b9e05af71e
child 13107:9c4dc1e6d2c9
line wrap: on
line diff
--- a/plugins/mod_http.lua	Sun Apr 09 22:31:12 2023 +0200
+++ b/plugins/mod_http.lua	Mon Apr 10 11:50:27 2023 +0200
@@ -17,6 +17,7 @@
 local url_build = require "socket.url".build;
 local normalize_path = require "prosody.util.http".normalize_path;
 local set = require "prosody.util.set";
+local array = require "util.array";
 
 local ip_util = require "prosody.util.ip";
 local new_ip = ip_util.new_ip;
@@ -112,12 +113,16 @@
 	return "http://disabled.invalid/";
 end
 
+local function header_set_tostring(header_value)
+	return array(pairs(header_value._items)):concat(", ");
+end
+
 local function apply_cors_headers(response, methods, headers, max_age, allow_credentials, allowed_origins, origin)
 	if allowed_origins and not allowed_origins[origin] then
 		return;
 	end
-	response.headers.access_control_allow_methods = tostring(methods);
-	response.headers.access_control_allow_headers = tostring(headers);
+	response.headers.access_control_allow_methods = header_set_tostring(methods);
+	response.headers.access_control_allow_headers = header_set_tostring(headers);
 	response.headers.access_control_max_age = tostring(max_age)
 	response.headers.access_control_allow_origin = origin or "*";
 	if allow_credentials then