fix: check for default headers before appending to cors header failur…

…es (#4015)
litestar-org · Feb 27, 2025 · f393a17 · f393a17
1 parent c5dbb6c
commit f393a17
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/litestar/middleware/_internal/cors.py b/litestar/middleware/_internal/cors.py
@@ -113,8 +113,12 @@ def _create_preflight_response(self, origin: str, request_headers: Headers) -> R
                 response_headers["Access-Control-Allow-Headers"] = ", ".join(
                     sorted(set(pre_flight_requested_headers) | DEFAULT_ALLOWED_CORS_HEADERS)  # pyright: ignore
                 )
-            elif any(header.lower() not in self.config.allow_headers for header in pre_flight_requested_headers):
-                failures.append("headers")
+            else:
+                all_allowed_headers = set(self.config.allow_headers).union(
+                    default_header.lower() for default_header in DEFAULT_ALLOWED_CORS_HEADERS
+                )
+                if any(header.lower() not in all_allowed_headers for header in pre_flight_requested_headers):
+                    failures.append("headers")
 
         return (
             Response(