Kludex · JayH5 · Jun 13, 2021 · Jun 13, 2021 · Jun 13, 2021
diff --git a/starlette/middleware/cors.py b/starlette/middleware/cors.py
@@ -129,6 +129,7 @@ def preflight_response(self, request_headers: Headers) -> Response:
             for header in [h.lower() for h in requested_headers.split(",")]:
                 if header.strip() not in self.allow_headers:
                     failures.append("headers")
+                    break
 
         # We don't strictly need to use 400 responses here, since its up to
         # the browser to enforce the CORS policy, but its more informative

diff --git a/tests/middleware/test_cors.py b/tests/middleware/test_cors.py
@@ -179,6 +179,16 @@ def homepage(request):
     assert response.text == "Disallowed CORS origin, method, headers"
     assert "access-control-allow-origin" not in response.headers
 
+    # Bug specific test, https://github.com/encode/starlette/pull/1199
+    # Test preflight response text with multiple disallowed headers
+    headers = {
+        "Origin": "https://example.org",
+        "Access-Control-Request-Method": "GET",
+        "Access-Control-Request-Headers": "X-Nope-1, X-Nope-2",
+    }
+    response = client.options("/", headers=headers)
+    assert response.text == "Disallowed CORS headers"
+
 
 def test_preflight_allows_request_origin_if_origins_wildcard_and_credentials_allowed():
     app = Starlette()