# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1681120227 -7200
# Node ID 45caa4e43775b46cbd1360b8b7ab651ed8b589b4
# Parent  7a75cbc4d87c44d31757f632ac628a680f0c2222
mod_http: Fix reliance on previous tostring() format of util.set

a863e4237b91 unintentionally changed the format of HTTP CORS headers,
which were apparently relying on the output of tostring(), which it
shouldn't have.

Explicitly serializing it this time.

diff -r 7a75cbc4d87c -r 45caa4e43775 plugins/mod_http.lua
--- a/plugins/mod_http.lua	Sun Apr 09 22:31:12 2023 +0200
+++ b/plugins/mod_http.lua	Mon Apr 10 11:50:27 2023 +0200
@@ -17,6 +17,7 @@
 local url_build = require "socket.url".build;
 local normalize_path = require "prosody.util.http".normalize_path;
 local set = require "prosody.util.set";
+local array = require "util.array";
 
 local ip_util = require "prosody.util.ip";
 local new_ip = ip_util.new_ip;
@@ -112,12 +113,16 @@
 	return "http://disabled.invalid/";
 end
 
+local function header_set_tostring(header_value)
+	return array(pairs(header_value._items)):concat(", ");
+end
+
 local function apply_cors_headers(response, methods, headers, max_age, allow_credentials, allowed_origins, origin)
 	if allowed_origins and not allowed_origins[origin] then
 		return;
 	end
-	response.headers.access_control_allow_methods = tostring(methods);
-	response.headers.access_control_allow_headers = tostring(headers);
+	response.headers.access_control_allow_methods = header_set_tostring(methods);
+	response.headers.access_control_allow_headers = header_set_tostring(headers);
 	response.headers.access_control_max_age = tostring(max_age)
 	response.headers.access_control_allow_origin = origin or "*";
 	if allow_credentials then