From 3c2ef1632d726f4157fb6e5b7f8a08b1c9b790a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20W=C3=BClker?= Date: Wed, 10 Sep 2025 19:40:11 +0200 Subject: [PATCH] Don't stop parsing after invalid elements in Access-Control-Allow-Headers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This behaviour matches other CORS headers and fixes a parsing bug. As per https://httpwg.org/specs/rfc9110.html#abnf.extension, empty elements in the header are allowed, but previously this function would incorrectly finish the iterator due to take_while being used. Signed-off-by: Simon Wülker --- src/common/access_control_allow_headers.rs | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/src/common/access_control_allow_headers.rs b/src/common/access_control_allow_headers.rs index 53a32bdc..74e08e9b 100644 --- a/src/common/access_control_allow_headers.rs +++ b/src/common/access_control_allow_headers.rs @@ -5,7 +5,7 @@ use http::{HeaderName, HeaderValue}; use crate::util::FlatCsv; /// `Access-Control-Allow-Headers` header, part of -/// [CORS](http://www.w3.org/TR/cors/#access-control-allow-headers-response-header) +/// [CORS](https://fetch.spec.whatwg.org/#access-control-allow-headers-response-header) /// /// The `Access-Control-Allow-Headers` header indicates, as part of the /// response to a preflight request, which header field names can be used @@ -42,11 +42,7 @@ derive_header! { impl AccessControlAllowHeaders { /// Returns an iterator over `HeaderName`s contained within. pub fn iter(&self) -> impl Iterator + '_ { - self.0 - .iter() - .map(|s| s.parse().ok()) - .take_while(|val| val.is_some()) - .flatten() + self.0.iter().filter_map(|s| s.parse().ok()) } }