From 59be792439d46d9b1266a03eede629ff1629d89e Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Mon, 10 Apr 2023 11:50:27 +0200 Subject: mod_http: Fix reliance on previous tostring() format of util.set a863e4237b91 unintentionally changed the format of HTTP CORS headers, which were apparently relying on the output of tostring(), which it shouldn't have. Explicitly serializing it this time. --- plugins/mod_http.lua | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'plugins/mod_http.lua') diff --git a/plugins/mod_http.lua b/plugins/mod_http.lua index 493bec25..b50755df 100644 --- a/plugins/mod_http.lua +++ b/plugins/mod_http.lua @@ -17,6 +17,7 @@ local url_parse = require "socket.url".parse; local url_build = require "socket.url".build; local normalize_path = require "prosody.util.http".normalize_path; local set = require "prosody.util.set"; +local array = require "util.array"; local ip_util = require "prosody.util.ip"; local new_ip = ip_util.new_ip; @@ -112,12 +113,16 @@ function moduleapi.http_url(module, app_name, default_path) return "http://disabled.invalid/"; end +local function header_set_tostring(header_value) + return array(pairs(header_value._items)):concat(", "); +end + local function apply_cors_headers(response, methods, headers, max_age, allow_credentials, allowed_origins, origin) if allowed_origins and not allowed_origins[origin] then return; end - response.headers.access_control_allow_methods = tostring(methods); - response.headers.access_control_allow_headers = tostring(headers); + response.headers.access_control_allow_methods = header_set_tostring(methods); + response.headers.access_control_allow_headers = header_set_tostring(headers); response.headers.access_control_max_age = tostring(max_age) response.headers.access_control_allow_origin = origin or "*"; if allow_credentials then -- cgit v1.2.3