fix(cors): add Origin to allowed headers

coderbyheart · coderbyheart · commit d41d5aecd465 · 2025-09-17T14:57:36.000+02:00
This is not implied and needs to be added explicitly
diff --git a/src/corsHeaders.spec.ts b/src/corsHeaders.spec.ts
@@ -13,7 +13,7 @@ void describe('corsHeaders()', () => {
 			{
 				'Access-Control-Allow-Credentials': true,
 				'Access-Control-Allow-Headers':
-					'content-type, accept, if-match, authorization',
+					'accept, authorization, content-type, if-match, origin',
 				'Access-Control-Expose-Headers':
 					'x-amzn-requestid, etag, apigw-requestid',
 				'Access-Control-Allow-Methods': 'PUT, DELETE, POST, GET, PATCH',
diff --git a/src/corsHeaders.ts b/src/corsHeaders.ts
@@ -35,8 +35,12 @@ export const corsHeaders = (
 	'Access-Control-Allow-Credentials': true,
 	'Access-Control-Allow-Origin': origin({ headers }),
 	'Access-Control-Allow-Methods': allowedMethods.join(', '),
-	'Access-Control-Allow-Headers':
-		'content-type, accept, if-match, authorization',
+	'Access-Control-Allow-Headers': Array.from(
+		new Set(['content-type', 'accept', 'if-match', 'authorization', 'origin']),
+	)
+		.map((h) => h.trim())
+		.sort((h1, h2) => h1.localeCompare(h2))
+		.join(', '),
 	'Access-Control-Expose-Headers': 'x-amzn-requestid, etag, apigw-requestid',
 	'Access-Control-Max-Age': cacheForSeconds,
 	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#cors_and_caching

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ void describe('corsHeaders()', () => {`
`13`	`13`	`{`
`14`	`14`	`'Access-Control-Allow-Credentials': true,`
`15`	`15`	`'Access-Control-Allow-Headers':`
`16`		`- 'content-type, accept, if-match, authorization',`
	`16`	`+ 'accept, authorization, content-type, if-match, origin',`
`17`	`17`	`'Access-Control-Expose-Headers':`
`18`	`18`	`'x-amzn-requestid, etag, apigw-requestid',`
`19`	`19`	`'Access-Control-Allow-Methods': 'PUT, DELETE, POST, GET, PATCH',`