Open
Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
Although method names are case-sensitive, Gorilla's CORS middleware takes the non-standard approach of normalising method names by uppercasing them. Such unwarranted case normalisation causes problems for clients that send requests whose method is not uppercase—and not some case-insensitive match for one of DELETE, GET, HEAD, OPTIONS, POST, or PUT, names for which the Fetch standard carves out an exception.
Expected Behavior
Gorilla should not normalise the case of allowed method names.
Steps To Reproduce
Here is a (failing) test case that illustrates the problem:
func TestHandlePreflightLowercaseAllowedMethod(t *testing.T) {
const (
origin = "https://foo.com"
method = "patch"
)
req, _ := http.NewRequest(http.MethodOptions, "http://example.com/foo", nil)
req.Header.Add("Origin", origin)
req.Header.Add("Access-Control-Request-Method", method)
rr := httptest.NewRecorder()
testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
cors := CORS(
AllowedOrigins([]string{origin}),
AllowedMethods([]string{method}),
)
cors(testHandler).ServeHTTP(rr, req)
resp := rr.Result()
if got, want := resp.StatusCode, http.StatusOK; got != want {
t.Errorf("bad status: got %v want %v", got, want)
}
header := resp.Header.Get(corsAllowMethodsHeader)
if got, want := header, method; got != want {
t.Errorf("bad header: expected %q method header, got %q", want, got)
}
}Current result:
$ go test -run ^TestHandlePreflightLowercaseAllowedMethod$ github.com/gorilla/handlers
--- FAIL: TestHandlePreflightLowercaseAllowedMethod (0.00s)
cors_test.go:210: bad status: got 405 want 200
cors_test.go:215: bad header: expected "patch" method header, got ""
FAIL
FAIL github.com/gorilla/handlers 0.790s
FAILAnything else?
More about this topic in one of my recent blog posts.