rack-cors 0.2.9 → 1.0.5

data/lib/rack/cors/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class Cors
-    VERSION = "0.2.9"
+    VERSION = "1.0.5"
   end
 end

data/rack-cors.gemspec

@@ -8,9 +8,9 @@ Gem::Specification.new do |spec|
   spec.version       = Rack::Cors::VERSION
   spec.authors       = ["Calvin Yu"]
   spec.email         = ["me@sourcebender.com"]
-  spec.description   = %q{Middleware that will make Rack-based apps CORS compatible.  Read more here: http://blog.sourcebender.com/2010/06/09/introducin-rack-cors.html.  Fork the project here: http://github.com/cyu/rack-cors}
+  spec.description   = %q{Middleware that will make Rack-based apps CORS compatible. Fork the project here: https://github.com/cyu/rack-cors}
   spec.summary       = %q{Middleware for enabling Cross-Origin Resource Sharing in Rack apps}
-  spec.homepage      = "http://github.com/cyu/rack-cors"
+  spec.homepage      = "https://github.com/cyu/rack-cors"
   spec.license       = "MIT"
 
   spec.files         = `git ls-files`.split($/).reject { |f| f == '.gitignore' or f =~ /^examples/ }
@@ -18,9 +18,10 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
-  spec.add_development_dependency "bundler", "~> 1.3"
-  spec.add_development_dependency "rake"
-  spec.add_development_dependency "shoulda", ">= 0"
-  spec.add_development_dependency "mocha", ">= 0.14.0"
-  spec.add_development_dependency "rack-test", ">= 0"
+  spec.add_dependency "rack", ">= 1.6.0"
+  spec.add_development_dependency "bundler", ">= 1.16.0", '< 3'
+  spec.add_development_dependency "rake", "~> 12.3.0"
+  spec.add_development_dependency "minitest", "~> 5.11.0"
+  spec.add_development_dependency "mocha", "~> 1.6.0"
+  spec.add_development_dependency "rack-test", "~> 1.1.0"
 end

data/test/cors/test.cors.coffee

@@ -1,4 +1,4 @@
-CORS_SERVER = 'cors-server:3000'
+CORS_SERVER = '127.0.0.1.xip.io:9292'
 
 describe 'CORS', ->
 
@@ -7,6 +7,31 @@ describe 'CORS', ->
       expect(data).to.eql('Hello world')
       done()
 
+  it 'should allow PUT access to dynamic resource', (done) ->
+    $.ajax("http://#{CORS_SERVER}/", type: 'PUT').done (data, textStatus, jqXHR) ->
+      expect(data).to.eql('Hello world')
+      done()
+
+  it 'should allow PATCH access to dynamic resource', (done) ->
+    $.ajax("http://#{CORS_SERVER}/", type: 'PATCH').done (data, textStatus, jqXHR) ->
+      expect(data).to.eql('Hello world')
+      done()
+
+  it 'should allow HEAD access to dynamic resource', (done) ->
+    $.ajax("http://#{CORS_SERVER}/", type: 'HEAD').done (data, textStatus, jqXHR) ->
+      expect(jqXHR.status).to.eql(200)
+      done()
+
+  it 'should allow DELETE access to dynamic resource', (done) ->
+    $.ajax("http://#{CORS_SERVER}/", type: 'DELETE').done (data, textStatus, jqXHR) ->
+      expect(data).to.eql('Hello world')
+      done()
+
+  it 'should allow OPTIONS access to dynamic resource', (done) ->
+    $.ajax("http://#{CORS_SERVER}/", type: 'OPTIONS').done (data, textStatus, jqXHR) ->
+      expect(jqXHR.status).to.eql(200)
+      done()
+
   it 'should allow access to static resource', (done) ->
     $.get "http://#{CORS_SERVER}/static.txt", (data, status, xhr) ->
       expect($.trim(data)).to.eql("hello world")
@@ -20,4 +45,3 @@ describe 'CORS', ->
       success:(data, status, xhr) ->
         expect($.trim(data)).to.eql("OK!")
         done()
-

data/test/cors/test.cors.js

@@ -1,17 +1,58 @@
+// Generated by CoffeeScript 2.3.1
 (function() {
   var CORS_SERVER;
 
-  CORS_SERVER = 'cors-server:3000';
+  CORS_SERVER = '127.0.0.1.xip.io:9292';
 
   describe('CORS', function() {
     it('should allow access to dynamic resource', function(done) {
-      return $.get("http://" + CORS_SERVER + "/", function(data, status, xhr) {
+      return $.get(`http://${CORS_SERVER}/`, function(data, status, xhr) {
         expect(data).to.eql('Hello world');
         return done();
       });
     });
+    it('should allow PUT access to dynamic resource', function(done) {
+      return $.ajax(`http://${CORS_SERVER}/`, {
+        type: 'PUT'
+      }).done(function(data, textStatus, jqXHR) {
+        expect(data).to.eql('Hello world');
+        return done();
+      });
+    });
+    it('should allow PATCH access to dynamic resource', function(done) {
+      return $.ajax(`http://${CORS_SERVER}/`, {
+        type: 'PATCH'
+      }).done(function(data, textStatus, jqXHR) {
+        expect(data).to.eql('Hello world');
+        return done();
+      });
+    });
+    it('should allow HEAD access to dynamic resource', function(done) {
+      return $.ajax(`http://${CORS_SERVER}/`, {
+        type: 'HEAD'
+      }).done(function(data, textStatus, jqXHR) {
+        expect(jqXHR.status).to.eql(200);
+        return done();
+      });
+    });
+    it('should allow DELETE access to dynamic resource', function(done) {
+      return $.ajax(`http://${CORS_SERVER}/`, {
+        type: 'DELETE'
+      }).done(function(data, textStatus, jqXHR) {
+        expect(data).to.eql('Hello world');
+        return done();
+      });
+    });
+    it('should allow OPTIONS access to dynamic resource', function(done) {
+      return $.ajax(`http://${CORS_SERVER}/`, {
+        type: 'OPTIONS'
+      }).done(function(data, textStatus, jqXHR) {
+        expect(jqXHR.status).to.eql(200);
+        return done();
+      });
+    });
     it('should allow access to static resource', function(done) {
-      return $.get("http://" + CORS_SERVER + "/static.txt", function(data, status, xhr) {
+      return $.get(`http://${CORS_SERVER}/static.txt`, function(data, status, xhr) {
         expect($.trim(data)).to.eql("hello world");
         return done();
       });
@@ -19,7 +60,7 @@
     return it('should allow post resource', function(done) {
       return $.ajax({
         type: 'POST',
-        url: "http://" + CORS_SERVER + "/cors",
+        url: `http://${CORS_SERVER}/cors`,
         beforeSend: function(xhr) {
           return xhr.setRequestHeader('X-Requested-With', 'XMLHTTPRequest');
         },

data/test/unit/cors_test.rb

@@ -1,14 +1,15 @@
-require 'rubygems'
-require 'test/unit'
+require 'minitest/autorun'
 require 'rack/test'
-require 'shoulda'
 require 'mocha/setup'
 require 'rack/cors'
+require 'ostruct'
 
 Rack::Test::Session.class_eval do
-  def options(uri, params = {}, env = {}, &block)
-    env = env_for(uri, env.merge(:method => "OPTIONS", :params => params))
-    process_request(uri, env, &block)
+  unless defined? :options
+    def options(uri, params = {}, env = {}, &block)
+      env = env_for(uri, env.merge(:method => "OPTIONS", :params => params))
+      process_request(uri, env, &block)
+    end
   end
 end
 
@@ -16,149 +17,479 @@ Rack::Test::Methods.class_eval do
   def_delegator :current_session, :options
 end
 
-class CorsTest < Test::Unit::TestCase
+module MiniTest::Assertions
+  def assert_cors_success(response)
+    assert !response.headers['Access-Control-Allow-Origin'].nil?, "Expected a successful CORS response"
+  end
+
+  def assert_not_cors_success(response)
+    assert response.headers['Access-Control-Allow-Origin'].nil?, "Expected a failed CORS response"
+  end
+end
+
+class CaptureResult
+  def initialize(app, options =  {})
+    @app = app
+    @result_holder = options[:holder]
+  end
+
+  def call(env)
+    response = @app.call(env)
+    @result_holder.cors_result = env[Rack::Cors::RACK_CORS]
+    return response
+  end
+end
+
+class FakeProxy
+  def initialize(app, options =  {})
+    @app = app
+  end
+
+  def call(env)
+    status, headers, body = @app.call(env)
+    headers['Vary'] = %w(Origin User-Agent)
+    [status, headers, body]
+  end
+end
+
+Rack::MockResponse.infect_an_assertion :assert_cors_success, :must_render_cors_success, :only_one_argument
+Rack::MockResponse.infect_an_assertion :assert_not_cors_success, :wont_render_cors_success, :only_one_argument
+
+describe Rack::Cors do
   include Rack::Test::Methods
 
-  def app
-    eval "Rack::Builder.new {( " + File.read(File.dirname(__FILE__) + '/test.ru') + "\n )}"
+  attr_accessor :cors_result
+
+  def load_app(name, options = {})
+    test = self
+    Rack::Builder.new do
+      use CaptureResult, :holder => test
+      eval File.read(File.dirname(__FILE__) + "/#{name}.ru")
+      use FakeProxy if options[:proxy]
+      map('/') do
+        run proc { |env|
+          [200, {'Content-Type' => 'text/html'}, ['success']]
+        }
+      end
+    end
+  end
+
+  let(:app) { load_app('test') }
+
+  it 'should support simple CORS request' do
+    successful_cors_request
+    cors_result.must_be :hit
   end
 
-  should('support simple cors request') { cors_request }
+  it "should not return CORS headers if Origin header isn't present" do
+    get '/'
+    last_response.wont_render_cors_success
+    cors_result.wont_be :hit
+  end
 
-  should 'support OPTIONS cors request' do
-    cors_request '/options', :method => :options
+  it 'should support OPTIONS CORS request' do
+    successful_cors_request '/options', :method => :options
   end
 
-  should 'support regex origins configuration' do
-    cors_request :origin => 'http://192.168.0.1:1234'
+  it 'should support regex origins configuration' do
+    successful_cors_request :origin => 'http://192.168.0.1:1234'
   end
 
-  should 'support proc origins configuration' do
-    cors_request '/proc-origin', :origin => 'http://10.10.10.10:3000'
+  it 'should support subdomain example' do
+    successful_cors_request :origin => 'http://subdomain.example.com'
   end
 
-  should 'support alternative X-Origin header' do
+  it 'should support proc origins configuration' do
+    successful_cors_request '/proc-origin', :origin => 'http://10.10.10.10:3000'
+  end
+
+  it 'should support lambda origin configuration' do
+    successful_cors_request '/lambda-origin', :origin => 'http://10.10.10.10:3000'
+  end
+
+  it 'should support proc origins configuration (inverse)' do
+    cors_request '/proc-origin', :origin => 'http://bad.guy'
+    last_response.wont_render_cors_success
+  end
+
+  it 'should not mix up path rules across origins' do
+    header 'Origin', 'http://10.10.10.10:3000'
+    get '/' # / is configured in a separate rule block
+    last_response.wont_render_cors_success
+  end
+
+  it 'should support alternative X-Origin header' do
     header 'X-Origin', 'http://localhost:3000'
     get '/'
-    assert_cors_success
+    last_response.must_render_cors_success
+  end
+
+  it 'should support expose header configuration' do
+    successful_cors_request '/expose_single_header'
+    last_response.headers['Access-Control-Expose-Headers'].must_equal 'expose-test'
   end
 
-  should 'support expose header configuration' do
-    cors_request '/expose_single_header'
-    assert_equal 'expose-test', last_response.headers['Access-Control-Expose-Headers']
+  it 'should support expose multiple header configuration' do
+    successful_cors_request '/expose_multiple_headers'
+    last_response.headers['Access-Control-Expose-Headers'].must_equal 'expose-test-1, expose-test-2'
   end
 
-  should 'support expose multiple header configuration' do
-    cors_request '/expose_multiple_headers'
-    assert_equal 'expose-test-1, expose-test-2', last_response.headers['Access-Control-Expose-Headers']
+  # Explanation: http://www.fastly.com/blog/best-practices-for-using-the-vary-header/
+  it "should add Vary header if resource matches even if Origin header isn't present" do
+    get '/'
+    last_response.wont_render_cors_success
+    last_response.headers['Vary'].must_equal 'Origin'
   end
 
-  should 'add Vary header if Access-Control-Allow-Origin header was added and if it is specific' do
-    cors_request '/', :origin => "http://192.168.0.3:8080"
-    assert_cors_success
-    assert_equal 'http://192.168.0.3:8080', last_response.headers['Access-Control-Allow-Origin']
-    assert_not_nil last_response.headers['Vary'], 'missing Vary header'
+  it "should add Vary header based on :vary option" do
+    successful_cors_request '/vary_test'
+    last_response.headers['Vary'].must_equal 'Origin, Host'
   end
 
-  should 'not add Vary header if Access-Control-Allow-Origin header was added and if it is generic (*)' do
-    cors_request '/public_without_credentials', :origin => "http://192.168.1.3:8080"
-    assert_cors_success
-    assert_equal '*', last_response.headers['Access-Control-Allow-Origin']
-    assert_nil last_response.headers['Vary'], 'no expecting Vary header'
+  it "decode URL and resolve paths before resource matching" do
+    header 'Origin', 'http://localhost:3000'
+    get '/public/a/..%2F..%2Fprivate/stuff'
+    last_response.wont_render_cors_success
   end
 
-  should 'support multi allow configurations for the same resource' do
-    cors_request '/multi-allow-config', :origin => "http://mucho-grande.com"
-    assert_cors_success
-    assert_equal 'http://mucho-grande.com', last_response.headers['Access-Control-Allow-Origin']
-    assert_equal 'Origin', last_response.headers['Vary'], 'expecting Vary header'
+  describe 'with array of upstream Vary headers' do
+    let(:app) { load_app('test', { proxy: true }) }
 
-    cors_request '/multi-allow-config', :origin => "http://192.168.1.3:8080"
-    assert_cors_success
-    assert_equal '*', last_response.headers['Access-Control-Allow-Origin']
-    assert_nil last_response.headers['Vary'], 'no expecting Vary header'
+    it 'should add to them' do
+      successful_cors_request '/vary_test'
+      last_response.headers['Vary'].must_equal 'Origin, User-Agent, Host'
+    end
+  end
+
+  it 'should add Vary header if Access-Control-Allow-Origin header was added and if it is specific' do
+    successful_cors_request '/', :origin => "http://192.168.0.3:8080"
+    last_response.headers['Access-Control-Allow-Origin'].must_equal 'http://192.168.0.3:8080'
+    last_response.headers['Vary'].wont_be_nil
   end
 
-  should 'not log debug messages if debug option is false' do
-    app = mock
-    app.stubs(:call).returns(200, {}, [''])
+  it 'should add Vary header even if Access-Control-Allow-Origin header was added and it is generic (*)' do
+    successful_cors_request '/public_without_credentials', :origin => "http://192.168.1.3:8080"
+    last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
+    last_response.headers['Vary'].must_equal 'Origin'
+  end
 
-    logger = mock
-    logger.expects(:debug).never
+  it 'should support multi allow configurations for the same resource' do
+    successful_cors_request '/multi-allow-config', :origin => "http://mucho-grande.com"
+    last_response.headers['Access-Control-Allow-Origin'].must_equal 'http://mucho-grande.com'
+    last_response.headers['Vary'].must_equal 'Origin'
 
-    cors = Rack::Cors.new(app, :debug => false, :logger => logger) {}
-    cors.send(:debug, {}, 'testing')
+    successful_cors_request '/multi-allow-config', :origin => "http://192.168.1.3:8080"
+    last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
+    last_response.headers['Vary'].must_equal 'Origin'
   end
 
-  should 'log debug messages if debug option is true' do
-    app = mock
-    app.stubs(:call).returns(200, {}, [''])
+  it "should not return CORS headers on OPTIONS request if Access-Control-Allow-Origin is not present" do
+    options '/get-only'
+    last_response.headers['Access-Control-Allow-Origin'].must_be_nil
+  end
+
+  it "should not apply CORS headers if it does not match conditional on resource" do
+    header 'Origin', 'http://192.168.0.1:1234'
+    get '/conditional'
+    last_response.wont_render_cors_success
+  end
 
-    logger = mock
-    logger.expects(:debug)
+  it "should apply CORS headers if it does match conditional on resource" do
+    header 'X-OK', '1'
+    successful_cors_request '/conditional', :origin => 'http://192.168.0.1:1234'
+  end
 
-    cors = Rack::Cors.new(app, :debug => true, :logger => logger) {}
-    cors.send(:debug, {}, 'testing')
+  it "should not allow everything if Origin is configured as blank string" do
+    cors_request '/blank-origin', origin: "http://example.net"
+    last_response.wont_render_cors_success
   end
 
-  context 'preflight requests' do
-    should 'fail if origin is invalid' do
+  it "should not allow credentials for public resources" do
+    successful_cors_request '/public'
+    last_response.headers['Access-Control-Allow-Credentials'].must_be_nil
+  end
+
+  describe 'logging' do
+    it 'should not log debug messages if debug option is false' do
+      app = mock
+      app.stubs(:call).returns(200, {}, [''])
+
+      logger = mock
+      logger.expects(:debug).never
+
+      cors = Rack::Cors.new(app, :debug => false, :logger => logger) {}
+      cors.send(:debug, {}, 'testing')
+    end
+
+    it 'should log debug messages if debug option is true' do
+      app = mock
+      app.stubs(:call).returns(200, {}, [''])
+
+      logger = mock
+      logger.expects(:debug)
+
+      cors = Rack::Cors.new(app, :debug => true, :logger => logger) {}
+      cors.send(:debug, {}, 'testing')
+    end
+
+    it 'should use rack.logger if available' do
+      app = mock
+      app.stubs(:call).returns([200, {}, ['']])
+
+      logger = mock
+      logger.expects(:debug).at_least_once
+
+      cors = Rack::Cors.new(app, :debug => true) {}
+      cors.call({'rack.logger' => logger, 'HTTP_ORIGIN' => 'test.com'})
+    end
+
+    it 'should use logger proc' do
+      app = mock
+      app.stubs(:call).returns([200, {}, ['']])
+
+      logger = mock
+      logger.expects(:debug)
+
+      cors = Rack::Cors.new(app, :debug => true, :logger => proc { logger }) {}
+      cors.call({'HTTP_ORIGIN' => 'test.com'})
+    end
+
+    describe 'with Rails setup' do
+      after do
+        ::Rails.logger = nil if defined?(::Rails)
+      end
+
+      it 'should use Rails.logger if available' do
+        app = mock
+        app.stubs(:call).returns([200, {}, ['']])
+
+        logger = mock
+        logger.expects(:debug)
+
+        ::Rails = OpenStruct.new(:logger => logger)
+
+        cors = Rack::Cors.new(app, :debug => true) {}
+        cors.call({'HTTP_ORIGIN' => 'test.com'})
+      end
+    end
+
+    it 'should use Logger if none is set' do
+      app = mock
+      app.stubs(:call).returns([200, {}, ['']])
+
+      logger = mock
+      Logger.expects(:new).returns(logger)
+      logger.expects(:tap).returns(logger)
+      logger.expects(:debug)
+
+      cors = Rack::Cors.new(app, :debug => true) {}
+      cors.call({'HTTP_ORIGIN' => 'test.com'})
+    end
+  end
+
+  describe 'preflight requests' do
+    it 'should fail if origin is invalid' do
       preflight_request('http://allyourdataarebelongtous.com', '/')
-      assert_cors_failure
+      last_response.wont_render_cors_success
+      cors_result.wont_be :hit
+      cors_result.must_be :preflight
     end
 
-    should 'fail if Access-Control-Request-Method is not allowed' do
+    it 'should fail if Access-Control-Request-Method is not allowed' do
       preflight_request('http://localhost:3000', '/get-only', :method => :post)
-      assert_cors_failure
+      last_response.wont_render_cors_success
+      cors_result.miss_reason.must_equal Rack::Cors::Result::MISS_DENY_METHOD
+      cors_result.wont_be :hit
+      cors_result.must_be :preflight
     end
 
-    should 'fail if header is not allowed' do
+    it 'should fail if header is not allowed' do
       preflight_request('http://localhost:3000', '/single_header', :headers => 'Fooey')
-      assert_cors_failure
+      last_response.wont_render_cors_success
+      cors_result.miss_reason.must_equal Rack::Cors::Result::MISS_DENY_HEADER
+      cors_result.wont_be :hit
+      cors_result.must_be :preflight
     end
 
-    should 'allow any header if headers = :any' do
+    it 'should allow any header if headers = :any' do
       preflight_request('http://localhost:3000', '/', :headers => 'Fooey')
-      assert_cors_success
+      last_response.must_render_cors_success
+    end
+
+    it 'should allow any method if methods = :any' do
+      preflight_request('http://localhost:3000', '/', :methods => :any)
+      last_response.must_render_cors_success
     end
 
-    should 'allow header case insensitive match' do
+    it 'allows PATCH method' do
+      preflight_request('http://localhost:3000', '/', :methods => [ :patch ])
+      last_response.must_render_cors_success
+    end
+
+    it 'should allow header case insensitive match' do
       preflight_request('http://localhost:3000', '/single_header', :headers => 'X-Domain-Token')
-      assert_cors_success
+      last_response.must_render_cors_success
     end
 
-    should 'allow multiple headers match' do
+    it 'should allow multiple headers match' do
       # Webkit style
       preflight_request('http://localhost:3000', '/two_headers', :headers => 'X-Requested-With, X-Domain-Token')
-      assert_cors_success
+      last_response.must_render_cors_success
 
       # Gecko style
       preflight_request('http://localhost:3000', '/two_headers', :headers => 'x-requested-with,x-domain-token')
-      assert_cors_success
+      last_response.must_render_cors_success
     end
 
-    should '* origin should allow any origin' do
+    it 'should * origin should allow any origin' do
       preflight_request('http://locohost:3000', '/public')
-      assert_cors_success
-      assert_equal 'http://locohost:3000', last_response.headers['Access-Control-Allow-Origin']
+      last_response.must_render_cors_success
+      last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
     end
 
-    should '* origin should allow any origin, and set * if no credentials required' do
+    it 'should * origin should allow any origin, and set * if no credentials required' do
       preflight_request('http://locohost:3000', '/public_without_credentials')
-      assert_cors_success
-      assert_equal '*', last_response.headers['Access-Control-Allow-Origin']
+      last_response.must_render_cors_success
+      last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
+    end
+
+    it 'should return "file://" as header with "file://" as origin' do
+      preflight_request('file://', '/')
+      last_response.must_render_cors_success
+      last_response.headers['Access-Control-Allow-Origin'].must_equal 'file://'
+    end
+
+    describe '' do
+
+      let(:app) do
+        test = self
+        Rack::Builder.new do
+          use CaptureResult, holder: test
+          use Rack::Cors, debug: true, logger: Logger.new(StringIO.new) do
+            allow do
+              origins '*'
+              resource '/', :methods => :post
+            end
+          end
+          map('/') do
+            run ->(env) { [500, {}, ['FAIL!']] }
+          end
+        end
+      end
+
+      it "should not send failed preflight requests thru the app" do
+        preflight_request('http://localhost', '/', :method => :unsupported)
+        last_response.wont_render_cors_success
+        last_response.status.must_equal 200
+        cors_result.must_be :preflight
+        cors_result.wont_be :hit
+        cors_result.miss_reason.must_equal Rack::Cors::Result::MISS_DENY_METHOD
+      end
+    end
+  end
+
+  describe "with insecure configuration" do
+    let(:app) { load_app('insecure') }
+
+    it "should raise an error" do
+      proc { cors_request '/public' }.must_raise Rack::Cors::Resource::CorsMisconfigurationError
+    end
+  end
+
+  describe "with non HTTP config" do
+    let(:app) { load_app("non_http") }
+
+    it 'should support non http/https origins' do
+      successful_cors_request '/public', origin: 'content://com.company.app'
+    end
+  end
+
+  describe 'Rack::Lint' do
+    def app
+      @app ||= Rack::Builder.new do
+        use Rack::Cors
+        use Rack::Lint
+        run ->(env) { [200, {'Content-Type' => 'text/html'}, ['hello']] }
+      end
+    end
+
+    it 'is lint-compliant with non-CORS request' do
+      get '/'
+      last_response.status.must_equal 200
+    end
+  end
+
+  describe 'with app overriding CORS header' do
+    let(:app) do
+      Rack::Builder.new do
+        use Rack::Cors, debug: true, logger: Logger.new(StringIO.new) do
+          allow do
+            origins '*'
+            resource '/'
+          end
+        end
+        map('/') do
+          run ->(env) { [200, {'Access-Control-Allow-Origin' => 'http://foo.net'}, ['success']] }
+        end
+      end
+    end
+
+    it "should return app header" do
+      successful_cors_request origin: "http://example.net"
+      last_response.headers['Access-Control-Allow-Origin'].must_equal "http://foo.net"
+    end
+
+    it "should return original headers if in debug" do
+      successful_cors_request origin: "http://example.net"
+      last_response.headers['X-Rack-CORS-Original-Access-Control-Allow-Origin'].must_equal "*"
     end
+  end
 
-    should '"null" origin, allowed as "file://", returned as "null" in header' do
-      preflight_request('null', '/')
-      assert_cors_success
-      assert_equal 'null', last_response.headers['Access-Control-Allow-Origin']
+  describe 'with headers set to nil' do
+    let(:app) do
+      Rack::Builder.new do
+        use Rack::Cors do
+          allow do
+            origins '*'
+            resource '/', headers: nil
+          end
+        end
+        map('/') do
+          run ->(env) { [200, {'Content-Type' => 'text/html'}, ['hello']] }
+        end
+      end
     end
 
-    should 'return a Content-Type' do
-      preflight_request('http://localhost:3000', '/')
-      assert_cors_success
-      assert_not_nil last_response.headers['Content-Type']
+    it 'should succeed with CORS simple headers' do
+      preflight_request('http://localhost:3000', '/', :headers => 'Accept')
+      last_response.must_render_cors_success
+    end
+  end
+
+  describe 'with custom allowed headers' do
+    let(:app) do
+      Rack::Builder.new do
+        use Rack::Cors do
+          allow do
+            origins '*'
+            resource '/', headers: []
+          end
+        end
+        map('/') do
+          run ->(env) { [200, {'Content-Type' => 'text/html'}, ['hello']] }
+        end
+      end
+    end
+
+    it 'should succeed with CORS simple headers' do
+      preflight_request('http://localhost:3000', '/', :headers => 'Accept')
+      last_response.must_render_cors_success
+      preflight_request('http://localhost:3000', '/', :headers => 'Accept-Language')
+      last_response.must_render_cors_success
+      preflight_request('http://localhost:3000', '/', :headers => 'Content-Type')
+      last_response.must_render_cors_success
+      preflight_request('http://localhost:3000', '/', :headers => 'Content-Language')
+      last_response.must_render_cors_success
     end
   end
 
@@ -170,8 +501,12 @@ class CorsTest < Test::Unit::TestCase
       opts.merge! args.last if args.last.is_a?(Hash)
 
       header 'Origin', opts[:origin]
-      current_session.__send__ opts[:method], path
-      assert_cors_success
+      current_session.__send__ opts[:method], path, {}, test: self
+    end
+
+    def successful_cors_request(*args)
+      cors_request(*args)
+      last_response.must_render_cors_success
     end
 
     def preflight_request(origin, path, opts = {})
@@ -184,12 +519,4 @@ class CorsTest < Test::Unit::TestCase
       end
       options path
     end
-
-    def assert_cors_success
-      assert_not_nil last_response.headers['Access-Control-Allow-Origin'], 'missing Access-Control-Allow-Origin header'
-    end
-
-    def assert_cors_failure
-      assert_nil last_response.headers['Access-Control-Allow-Origin'], 'no expecting Access-Control-Allow-Origin header'
-    end
 end