fix: CORS header typo Access-Control-Allow-Origin

lib/ProductOpener/HTTP.pm

@@ -118,7 +118,7 @@ sub get_cors_headers ($allow_credentials = 0, $sub_domain_only = 0) {
 			}
 		}
 	}
-	$headers_ref->{"Access-Control-Allow-Origins"} = $allow_origins;
+	$headers_ref->{"Access-Control-Allow-Origin"} = $allow_origins;
 	if ($allow_origins ne "*") {
 		# see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#cors_and_caching
 		$headers_ref->{"Vary"} = "Origin";

tests/integration/cors.t

@@ -30,7 +30,7 @@ my $tests_ref = [
 		path => '/cgi/auth.pl',
 		expected_status_code => 403,    # we are not authenticated
 		headers => {
-			"Access-Control-Allow-Origins" => "http://world.openfoodfacts.localhost",
+			"Access-Control-Allow-Origin" => "http://world.openfoodfacts.localhost",
 			"Access-Control-Allow-Credentials" => "true",
 			"Vary" => "Origin"
 		},
@@ -42,7 +42,7 @@ my $tests_ref = [
 		path => '/cgi/auth.pl',
 		expected_status_code => 403,    # we are not authenticated
 		headers => {
-			"Access-Control-Allow-Origins" => "http://world.openfoodfacts.localhost",
+			"Access-Control-Allow-Origin" => "http://world.openfoodfacts.localhost",
 			"Access-Control-Allow-Credentials" => "true",
 			"Vary" => "Origin"
 		},
@@ -55,7 +55,7 @@ my $tests_ref = [
 		expected_status_code => 403,    # because Options triggers a GET, and we are unauthenticated
 		headers_in => {"Origin" => "http://other.localhost"},
 		headers => {
-			"Access-Control-Allow-Origins" => "*",
+			"Access-Control-Allow-Origin" => "*",
 			"Access-Control-Allow-Credentials" => undef,
 		},
 		expected_type => "html",
@@ -66,7 +66,7 @@ my $tests_ref = [
 		path => '/api/v3/product/0000002',
 		expected_status_code => 404,
 		headers => {
-			"Access-Control-Allow-Origins" => "*",
+			"Access-Control-Allow-Origin" => "*",
 			"Access-Control-Allow-Methods" => "HEAD, GET, PATCH, POST, PUT, OPTIONS",
 		},
 		expected_type => "html",
@@ -77,7 +77,7 @@ my $tests_ref = [
 		path => '/api/v3/product/0000002',
 		expected_status_code => 404,
 		headers => {
-			"Access-Control-Allow-Origins" => "*",
+			"Access-Control-Allow-Origin" => "*",
 			"Access-Control-Allow-Methods" => "HEAD, GET, PATCH, POST, PUT, OPTIONS",
 		},
 		expected_type => "html",
@@ -88,7 +88,7 @@ my $tests_ref = [
 		path => '/api/v2/product/0000002',
 		expected_status_code => 404,
 		headers => {
-			"Access-Control-Allow-Origins" => "*",
+			"Access-Control-Allow-Origin" => "*",
 			"Access-Control-Allow-Methods" => "HEAD, GET, PATCH, POST, PUT, OPTIONS",
 		},
 		expected_type => "html",
@@ -99,7 +99,7 @@ my $tests_ref = [
 		path => '/api/v2/product/0000002',
 		expected_status_code => 404,
 		headers => {
-			"Access-Control-Allow-Origins" => "*",
+			"Access-Control-Allow-Origin" => "*",
 			"Access-Control-Allow-Methods" => "HEAD, GET, PATCH, POST, PUT, OPTIONS",
 		},
 		expected_type => "html",
@@ -120,7 +120,7 @@ $tests_ref = [
 		path => '/cgi/auth.pl',
 		expected_status_code => 200,    # authenticated
 		headers => {
-			"Access-Control-Allow-Origins" => "http://world.openfoodfacts.localhost",
+			"Access-Control-Allow-Origin" => "http://world.openfoodfacts.localhost",
 			"Access-Control-Allow-Credentials" => "true",
 			"Vary" => "Origin"
 		},
@@ -133,7 +133,7 @@ $tests_ref = [
 		expected_status_code => 200,    # authenticated
 		headers_in => {"Origin" => "http://other.localhost"},
 		headers => {
-			"Access-Control-Allow-Origins" => "*",
+			"Access-Control-Allow-Origin" => "*",
 			"Access-Control-Allow-Credentials" => undef,
 		},
 		expected_type => "html",

tests/unit/http.t

@@ -39,7 +39,7 @@ sub fake_headers_in ($fake_arg) {
 	};
 
 	my $headers_ref = get_cors_headers();
-	my $expected_ref = {%$expected_base_ref, ("Access-Control-Allow-Origins" => "*")};
+	my $expected_ref = {%$expected_base_ref, ("Access-Control-Allow-Origin" => "*")};
 	is_deeply($headers_ref, $expected_ref);
 
 	# allow credentials from sub domains
@@ -48,7 +48,7 @@ sub fake_headers_in ($fake_arg) {
 	$expected_ref = {
 		%$expected_base_ref,
 		(
-			"Access-Control-Allow-Origins" => "https://fr.openfoodfacts.localhost",
+			"Access-Control-Allow-Origin" => "https://fr.openfoodfacts.localhost",
 			"Access-Control-Allow-Credentials" => "true",
 			"Vary" => "Origin"
 		)
@@ -58,22 +58,22 @@ sub fake_headers_in ($fake_arg) {
 	# but do not allow for alien domains, we do not block request, but do not allow credentials
 	$HEADERS_IN = {"Origin" => "https://fr.example.com"};
 	$headers_ref = get_cors_headers(1);
-	$expected_ref = {%$expected_base_ref, ("Access-Control-Allow-Origins" => "*")};
+	$expected_ref = {%$expected_base_ref, ("Access-Control-Allow-Origin" => "*")};
 	is_deeply($headers_ref, $expected_ref);
 
 	# restrict to subdomain -> allow sub domain
 	$HEADERS_IN = {"Origin" => "https://fr.openfoodfacts.localhost"};
 	$headers_ref = get_cors_headers(0, 1);
 	$expected_ref = {
 		%$expected_base_ref,
-		("Access-Control-Allow-Origins" => "https://fr.openfoodfacts.localhost", "Vary" => "Origin")
+		("Access-Control-Allow-Origin" => "https://fr.openfoodfacts.localhost", "Vary" => "Origin")
 	};
 	is_deeply($headers_ref, $expected_ref);
 	$headers_ref = get_cors_headers(1, 1);
 	$expected_ref = {
 		%$expected_base_ref,
 		(
-			"Access-Control-Allow-Origins" => "https://fr.openfoodfacts.localhost",
+			"Access-Control-Allow-Origin" => "https://fr.openfoodfacts.localhost",
 			"Access-Control-Allow-Credentials" => "true",
 			"Vary" => "Origin"
 		)
@@ -84,7 +84,7 @@ sub fake_headers_in ($fake_arg) {
 	$HEADERS_IN = {"Origin" => "https://fr.example.com"};
 	$headers_ref = get_cors_headers(0, 1);
 	$expected_ref = {%$expected_base_ref,
-		("Access-Control-Allow-Origins" => "https://openfoodfacts.localhost", "Vary" => "Origin")};
+		("Access-Control-Allow-Origin" => "https://openfoodfacts.localhost", "Vary" => "Origin")};
 	is_deeply($headers_ref, $expected_ref);
 	$headers_ref = get_cors_headers(1, 1);
 	is_deeply($headers_ref, $expected_ref);