issue #2149, issue #2159

do not overwrite CORS response headers set by Foxx application with hard-coded default values

arangod/GeneralServer/HttpCommTask.cpp

@@ -113,15 +113,18 @@ void HttpCommTask::addResponse(HttpResponse* response) {
     // access-control-allow-origin header now
     LOG(TRACE) << "handling CORS response";
 
-    response->setHeaderNC(StaticStrings::AccessControlExposeHeaders,
-                          StaticStrings::ExposedCorsHeaders);
-
     // send back original value of "Origin" header
-    response->setHeaderNC(StaticStrings::AccessControlAllowOrigin, _origin);
+    response->setHeaderNCIfNotSet(StaticStrings::AccessControlAllowOrigin, _origin);
 
     // send back "Access-Control-Allow-Credentials" header
-    response->setHeaderNC(StaticStrings::AccessControlAllowCredentials,
+    response->setHeaderNCIfNotSet(StaticStrings::AccessControlAllowCredentials,
                                   (_denyCredentials ? "false" : "true"));
+    
+    // use "IfNotSet" here because we should not override HTTP headers set
+    // by Foxx applications
+    response->setHeaderNCIfNotSet(StaticStrings::AccessControlExposeHeaders,
+                                  StaticStrings::ExposedCorsHeaders);
+
   }
 
   // set "connection" header, keep-alive is the default
@@ -650,7 +653,7 @@ bool HttpCommTask::checkContentLength(HttpRequest* request,
 void HttpCommTask::processCorsOptions(std::unique_ptr<HttpRequest> request) {
   HttpResponse response(rest::ResponseCode::OK);
 
-  response.setHeaderNC(StaticStrings::Allow, StaticStrings::CorsMethods);
+  response.setHeaderNCIfNotSet(StaticStrings::Allow, StaticStrings::CorsMethods);
 
   if (!_origin.empty()) {
     LOG(TRACE) << "got CORS preflight request";
@@ -659,17 +662,15 @@ void HttpCommTask::processCorsOptions(std::unique_ptr<HttpRequest> request) {
 
     // send back which HTTP methods are allowed for the resource
     // we'll allow all
-    response.setHeaderNC(StaticStrings::AccessControlAllowMethods,
+    response.setHeaderNCIfNotSet(StaticStrings::AccessControlAllowMethods,
                                  StaticStrings::CorsMethods);
 
     if (!allowHeaders.empty()) {
       // allow all extra headers the client requested
       // we don't verify them here. the worst that can happen is that the
-      // client
+      // client sends some broken headers and then later cannot access the data on
-      // sends some broken headers and then later cannot access the data on
+      // the server. that's a client problem.
-      // the
+      response.setHeaderNCIfNotSet(StaticStrings::AccessControlAllowHeaders,
-      // server. that's a client problem.
-      response.setHeaderNC(StaticStrings::AccessControlAllowHeaders,
                                    allowHeaders);
 
       LOG(TRACE) << "client requested validation of the following headers: "
@@ -677,7 +678,7 @@ void HttpCommTask::processCorsOptions(std::unique_ptr<HttpRequest> request) {
     }
 
     // set caching time (hard-coded value)
-    response.setHeaderNC(StaticStrings::AccessControlMaxAge,
+    response.setHeaderNCIfNotSet(StaticStrings::AccessControlMaxAge,
                                  StaticStrings::N1800);
   }
 

lib/Rest/GeneralResponse.h

@@ -122,6 +122,15 @@ class GeneralResponse {
     _headers[key] = std::move(value);
   }
   
+  // adds a header if not set. the header field name must be lower-cased
+  void setHeaderNCIfNotSet(std::string const& key, std::string const& value) {
+    if (_headers.find(key) != _headers.end()) {
+      // already set
+      return;
+    }
+    _headers.emplace(key, value);
+  }
+  
  public:
   virtual uint64_t messageId() const { return 1; }