Handle comma separated values in Access-Control-Request-Headers

mficzel · web-flow · commit ffc1da55114b · 2025-07-10T12:53:43.000+02:00
Not only may there be multiple Access-Control-Request-Headers, each header may contain a comma list of header names.
diff --git a/Classes/Http/CorsHeaderMiddleware.php b/Classes/Http/CorsHeaderMiddleware.php
@@ -319,6 +319,8 @@ private function areHeadersAllowed(array $headers): bool
         if ($this->allowedHeadersAll || $this->allowedHeaders === []) {
             return true;
         }
+        // each header may comma seperated itself
+        $headers = array_merge(...array_map(fn(string $line) => explode(',' , $line), $headers));
         foreach ($headers as $header) {
             if (!in_array($header, $this->allowedHeaders, true)) {
                 return false;

Original file line number	Diff line number	Diff line change
`@@ -319,6 +319,8 @@ private function areHeadersAllowed(array $headers): bool`
`319`	`319`	`if ($this->allowedHeadersAll \|\| $this->allowedHeaders === []) {`
`320`	`320`	`return true;`
`321`	`321`	`}`
	`322`	`+ // each header may comma seperated itself`
	`323`	`+ $headers = array_merge(...array_map(fn(string $line) => explode(',' , $line), $headers));`
`322`	`324`	`foreach ($headers as $header) {`
`323`	`325`	`if (!in_array($header, $this->allowedHeaders, true)) {`
`324`	`326`	`return false;`