Using multiple Access-Control-Allow-Methods and Access-Control-Allow-Headers only the last header value is used

[pjcarly]

Hi,

I think I came across a bug in the D8 version, where if, in the options, you pass multiple values for the Methods and/or the Headers. You would only get the last value in the response.

For example, this configuration: /api/*||GET, POST, PUT, PATCH, DELETE, OPTIONS|Content-Type, Authorization|true

In the response:

I would expect:

Access-Control-Allow-Headers →Content-Type, Authorization
Access-Control-Allow-Methods →GET, POST, PUT, PATCH, DELETE, OPTIONS

However I get this:

Access-Control-Allow-Headers →Authorization
Access-Control-Allow-Methods →OPTIONS

I think this is due to exploding the values on lines 104 and 107: explode(',', trim($settings[2]));

and then looping over them on lines 122 through 124

foreach ($values as $value) {
  $response->headers->set($header, $value, TRUE);
}

Only the latest value will be preserved, as the previous ones are overwritten every time.

An easy solution would be chaging lines 104 and 107 to:

$headers['OPTIONS']['Access-Control-Allow-Methods'] = array(trim($settings[1])); //104
$headers['OPTIONS']['Access-Control-Allow-Headers'] = array(trim($settings[2])); //107

Then I get my expected response.

[lastlink]

pull #15 will solve multiple headers.