From fc2d770175cdea0fa8a7eb2f7bdfc46401906eb7 Mon Sep 17 00:00:00 2001
From: Pedro Condeco <pedro.condeco@freiheit.com>
Date: Mon, 24 Oct 2022 20:26:59 +0200
Subject: [PATCH] Issue: master - [Improvement] avoid repeated allowed-headers

---
 cors.go      | 27 +++++++++++++++++++--------
 cors_test.go |  6 ++++++
 2 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/cors.go b/cors.go
index a47b7df..4d72040 100644
--- a/cors.go
+++ b/cors.go
@@ -4,15 +4,15 @@ as defined by http://www.w3.org/TR/cors/
 
 You can configure it by passing an option struct to cors.New:
 
-    c := cors.New(cors.Options{
-        AllowedOrigins:   []string{"foo.com"},
-        AllowedMethods:   []string{http.MethodGet, http.MethodPost, http.MethodDelete},
-        AllowCredentials: true,
-    })
+	c := cors.New(cors.Options{
+	    AllowedOrigins:   []string{"foo.com"},
+	    AllowedMethods:   []string{http.MethodGet, http.MethodPost, http.MethodDelete},
+	    AllowCredentials: true,
+	})
 
 Then insert the handler in the chain:
 
-    handler = c.Handler(handler)
+	handler = c.Handler(handler)
 
 See Options documentation for more options.
 
@@ -162,8 +162,19 @@ func New(options Options) *Cors {
 		// Use sensible defaults
 		c.allowedHeaders = []string{"Origin", "Accept", "Content-Type", "X-Requested-With"}
 	} else {
-		// Origin is always appended as some browsers will always request for this header at preflight
-		c.allowedHeaders = convert(append(options.AllowedHeaders, "Origin"), http.CanonicalHeaderKey)
+		// Remove duplicated allowed headers
+		allowedHeadersMap := map[string]struct{}{
+			// Origin is always appended as some browsers will always request for this header at preflight
+			"Origin": {},
+		}
+		for _, h := range options.AllowedHeaders {
+			allowedHeadersMap[h] = struct{}{}
+		}
+		allowedHeadersToConvert := []string{}
+		for k := range allowedHeadersMap {
+			allowedHeadersToConvert = append(allowedHeadersToConvert, k)
+		}
+		c.allowedHeaders = convert(allowedHeadersToConvert, http.CanonicalHeaderKey)
 		for _, h := range options.AllowedHeaders {
 			if h == "*" {
 				c.allowedHeadersAll = true
diff --git a/cors_test.go b/cors_test.go
index da16a29..ef29473 100644
--- a/cors_test.go
+++ b/cors_test.go
@@ -691,6 +691,12 @@ func TestCorsAreHeadersAllowed(t *testing.T) {
 			requestedHeaders: parseHeaderList("X-PINGOTHER, Content-Type"),
 			want:             false,
 		},
+		{
+			name:             "no repeated headers",
+			allowedHeaders:   []string{"Origin", "Origin", "Origin", "Content-Type", "Content-Type"},
+			requestedHeaders: parseHeaderList("Origin, Content-Type"),
+			want:             true,
+		},
 	}
 
 	for _, tt := range cases {