From dae756c84a03d7c45505a892ac72758317a52a65 Mon Sep 17 00:00:00 2001
From: Juan Basso <jrbasso@gmail.com>
Date: Tue, 21 Jan 2014 15:02:41 -0500
Subject: [PATCH] Added option to allowed headers

---
 lib/Cake/Network/CakeResponse.php             |  4 +-
 .../Test/Case/Network/CakeResponseTest.php    | 62 ++++++++++---------
 2 files changed, 37 insertions(+), 29 deletions(-)

diff --git a/lib/Cake/Network/CakeResponse.php b/lib/Cake/Network/CakeResponse.php
index cd6045cf7..30b5a3a06 100644
--- a/lib/Cake/Network/CakeResponse.php
+++ b/lib/Cake/Network/CakeResponse.php
@@ -1263,9 +1263,10 @@ class CakeResponse {
  * @param CakeRequest $request Request object
  * @param string|array $allowedDomains List of allowed domains, see method description for more details
  * @param string|array $allowedMethods List of HTTP verbs allowed
+ * @param string|array $allowedHeaders List of HTTP headers allowed
  * @return void
  */
-	public function cors(CakeRequest $request, $allowedDomains, $allowedMethods = array()) {
+	public function cors(CakeRequest $request, $allowedDomains, $allowedMethods = array(), $allowedHeaders = array()) {
 		$origin = $request->header('Origin');
 		if (!$origin) {
 			return;
@@ -1278,6 +1279,7 @@ class CakeResponse {
 			}
 			$this->header('Access-Control-Allow-Origin', $domain['original'] === '*' ? '*' : $origin);
 			$allowedMethods && $this->header('Access-Control-Allow-Methods', implode(', ', (array)$allowedMethods));
+			$allowedHeaders && $this->header('Access-Control-Allow-Headers', implode(', ', (array)$allowedHeaders));
 			break;
 		}
 	}
diff --git a/lib/Cake/Test/Case/Network/CakeResponseTest.php b/lib/Cake/Test/Case/Network/CakeResponseTest.php
index ff13db3a3..d7ca1e90f 100644
--- a/lib/Cake/Test/Case/Network/CakeResponseTest.php
+++ b/lib/Cake/Test/Case/Network/CakeResponseTest.php
@@ -1069,31 +1069,33 @@ class CakeResponseTest extends CakeTestCase {
  * @param string $origin
  * @param string|array $domains
  * @param string|array $methods
+ * @param string|array $headers
  * @param string|boolean $expectedOrigin
  * @param string|boolean $expectedMethods
+ * @param string|boolean $expectedHeaders
  * @return void
  */
-	public function testCors($request, $origin, $domains, $methods, $expectedOrigin, $expectedMethods) {
+	public function testCors($request, $origin, $domains, $methods, $headers, $expectedOrigin, $expectedMethods = false, $expectedHeaders = false) {
 		$_SERVER['HTTP_ORIGIN'] = $origin;
 
 		$response = $this->getMock('CakeResponse', array('header'));
-		if ($expectedOrigin === false) {
-			$response->expects($this->never())
-				->method('header');
-		} elseif ($expectedMethods === false) {
-			$response->expects($this->once())
+
+		$method = $response->expects(!$expectedOrigin ? $this->never() : $this->at(0))->method('header');
+		$expectedOrigin && $method->with('Access-Control-Allow-Origin', $expectedOrigin ? $expectedOrigin : $this->anything());
+
+		$i = 1;
+		if ($expectedMethods) {
+			$response->expects($this->at($i++))
 				->method('header')
-				->with('Access-Control-Allow-Origin', $expectedOrigin);
-		} else {
-			$response->expects($this->at(0))
+				->with('Access-Control-Allow-Methods', $expectedMethods ? $expectedMethods : $this->anything());
+		}
+		if ($expectedHeaders) {
+			$response->expects($this->at($i++))
 				->method('header')
-				->with('Access-Control-Allow-Origin', $expectedOrigin);
-			$response->expects($this->at(1))
-				->method('header')
-				->with('Access-Control-Allow-Methods', $expectedMethods);
+				->with('Access-Control-Allow-Headers', $expectedHeaders ? $expectedHeaders : $this->anything());
 		}
 
-		$response->cors($request, $domains, $methods);
+		$response->cors($request, $domains, $methods, $headers);
 		unset($_SERVER['HTTP_ORIGIN']);
 	}
 
@@ -1112,22 +1114,26 @@ class CakeResponseTest extends CakeTestCase {
 			->will($this->returnValue(true));
 
 		return array(
-			array($fooRequest, null, '*', '', false, false),
-			array($fooRequest, 'http://www.foo.com', '*', '', '*', false),
-			array($fooRequest, 'http://www.foo.com', 'www.foo.com', '', 'http://www.foo.com', false),
-			array($fooRequest, 'http://www.foo.com', '*.foo.com', '', 'http://www.foo.com', false),
-			array($fooRequest, 'http://www.foo.com', 'http://*.foo.com', '', 'http://www.foo.com', false),
-			array($fooRequest, 'http://www.foo.com', 'https://www.foo.com', '', false, false),
-			array($fooRequest, 'http://www.foo.com', 'https://*.foo.com', '', false, false),
-			array($fooRequest, 'http://www.foo.com', array('*.bar.com', '*.foo.com'), '', 'http://www.foo.com', false),
+			array($fooRequest, null, '*', '', '', false, false),
+			array($fooRequest, 'http://www.foo.com', '*', '', '', '*', false),
+			array($fooRequest, 'http://www.foo.com', 'www.foo.com', '', '', 'http://www.foo.com', false),
+			array($fooRequest, 'http://www.foo.com', '*.foo.com', '', '', 'http://www.foo.com', false),
+			array($fooRequest, 'http://www.foo.com', 'http://*.foo.com', '', '', 'http://www.foo.com', false),
+			array($fooRequest, 'http://www.foo.com', 'https://www.foo.com', '', '', false, false),
+			array($fooRequest, 'http://www.foo.com', 'https://*.foo.com', '', '', false, false),
+			array($fooRequest, 'http://www.foo.com', array('*.bar.com', '*.foo.com'), '', '', 'http://www.foo.com', false),
 
-			array($secureRequest, 'https://www.bar.com', 'www.bar.com', '', 'https://www.bar.com', false),
-			array($secureRequest, 'https://www.bar.com', 'http://www.bar.com', '', false, false),
-			array($secureRequest, 'https://www.bar.com', '*.bar.com', '', 'https://www.bar.com', false),
+			array($secureRequest, 'https://www.bar.com', 'www.bar.com', '', '', 'https://www.bar.com', false),
+			array($secureRequest, 'https://www.bar.com', 'http://www.bar.com', '', '', false, false),
+			array($secureRequest, 'https://www.bar.com', '*.bar.com', '', '', 'https://www.bar.com', false),
 
-			array($fooRequest, 'http://www.foo.com', '*', 'GET', '*', 'GET'),
-			array($fooRequest, 'http://www.foo.com', '*.foo.com', 'GET', 'http://www.foo.com', 'GET'),
-			array($fooRequest, 'http://www.foo.com', '*.foo.com', array('GET', 'POST'), 'http://www.foo.com', 'GET, POST'),
+			array($fooRequest, 'http://www.foo.com', '*', 'GET', '', '*', 'GET'),
+			array($fooRequest, 'http://www.foo.com', '*.foo.com', 'GET', '', 'http://www.foo.com', 'GET'),
+			array($fooRequest, 'http://www.foo.com', '*.foo.com', array('GET', 'POST'), '', 'http://www.foo.com', 'GET, POST'),
+
+			array($fooRequest, 'http://www.foo.com', '*', '', 'X-CakePHP', '*', false, 'X-CakePHP'),
+			array($fooRequest, 'http://www.foo.com', '*', '', array('X-CakePHP', 'X-MyApp'), '*', false, 'X-CakePHP, X-MyApp'),
+			array($fooRequest, 'http://www.foo.com', '*', array('GET', 'OPTIONS'), array('X-CakePHP', 'X-MyApp'), '*', 'GET, OPTIONS', 'X-CakePHP, X-MyApp'),
 		);
 	}