[BUG] CORS Access-Control-Allow-Origin set wrong if using multiple origins

[pimeys]

Is there an existing issue for this?

• [X] I have searched the existing issues

What version of workers-rs are you using?

0.1.0

What version of wrangler are you using?

3.34.2

Describe the bug

When setting multiple origins to the CORS configuration:

let cors = Cors::new().with_origins(["https://example.com", "https://lwn.net"]);
response.with_cors(&cors)?;

And then sending a pre-flight request with Origin set as https://example.com, the response header is set like this:

Access-Control-Allow-Origin: "https://example.com,https://lwn.net"

This will lead to a CORS error, because the header must be a single origin, not multiple. How tower-http does this is defined here:

https://github.com/tower-rs/tower-http/blob/main/tower-http/src/cors/allow_origin.rs#L124

If the origin value is a list of urls, it uses the header value from the request, finds the origin from the list and sets the header to be exactly one URL matching the request origin. If the origin is not defined in the list, the header should be omitted.

Steps To Reproduce

1. Send a pre-flight request with Origin: https://example.com
2. Respond from a worker with CORS origins set to ["https://example.com", "https://lwn.net"]
3. Witness a CORS error in the browser

[OliverEvans96]

Currently, Response::with_cors doesn't take the request headers as an argument, which it would need to in order to implement this correctly.

Here's how I'm working around this in my code:

    let req_origin = req.headers().get("Origin")?;
    let resp = router.run(req, env).await?;

    let allowed_origins = ["https://example.com", "https://lwn.net"];
    let cors_origins = req_origin
        .map(|o| allowed_origins.into_iter().filter(|&a| a == o).collect())
        .unwrap_or_else(Vec::new);

    let cors = Cors::new()
        .with_origins(cors_origins);

    let resp = resp.with_cors(&cors)?;