Fixed #17: Removes Access-Control-Allow-Origin header from server

Author: NickMRamirez

example/haproxy/cors.lua

@@ -51,9 +51,9 @@ end
 -- allowed_headers: Comma-delimited list of allowed headers. (e.g. X-Header1,X-Header2)
 function preflight_request_ver1(txn, allowed_methods, allowed_headers)
   core.Debug("CORS: preflight request received")
-  txn.http:res_add_header("Access-Control-Allow-Methods", allowed_methods)
-  txn.http:res_add_header("Access-Control-Allow-Headers", allowed_headers)
-  txn.http:res_add_header("Access-Control-Max-Age", 600)
+  txn.http:res_set_header("Access-Control-Allow-Methods", allowed_methods)
+  txn.http:res_set_header("Access-Control-Allow-Headers", allowed_headers)
+  txn.http:res_set_header("Access-Control-Max-Age", 600)
   core.Debug("CORS: attaching allowed methods to response")
 end
 
@@ -148,7 +148,7 @@ function cors_response(txn)
     end
 
     core.Debug("CORS: " .. origin .. " allowed")
-    txn.http:res_add_header("Access-Control-Allow-Origin", allowed_origin)
+    txn.http:res_set_header("Access-Control-Allow-Origin", allowed_origin)
   end
 end
 

example/haproxy/haproxy.cfg

@@ -18,8 +18,6 @@ listen ui
 listen api
     bind :8080
 
-    
-
     # Invoke the CORS service on the request to capture the Origin header
     http-request lua.cors "GET,PUT,POST", "localhost", "X-Custom-Header"
 

example/web/index.js

@@ -15,6 +15,7 @@ app.get('/', function (req, res) {
 
 // the API
 app.get('/getdata', function(req, res) {
+  res.set("Access-Control-Allow-Origin", "blah.com") // this should be overwritten by HAProxy
   res.send('Message from the server!')
 })
 

lib/cors.lua

@@ -51,9 +51,9 @@ end
 -- allowed_headers: Comma-delimited list of allowed headers. (e.g. X-Header1,X-Header2)
 function preflight_request_ver1(txn, allowed_methods, allowed_headers)
   core.Debug("CORS: preflight request received")
-  txn.http:res_add_header("Access-Control-Allow-Methods", allowed_methods)
-  txn.http:res_add_header("Access-Control-Allow-Headers", allowed_headers)
-  txn.http:res_add_header("Access-Control-Max-Age", 600)
+  txn.http:res_set_header("Access-Control-Allow-Methods", allowed_methods)
+  txn.http:res_set_header("Access-Control-Allow-Headers", allowed_headers)
+  txn.http:res_set_header("Access-Control-Max-Age", 600)
   core.Debug("CORS: attaching allowed methods to response")
 end
 
@@ -148,7 +148,7 @@ function cors_response(txn)
     end
 
     core.Debug("CORS: " .. origin .. " allowed")
-    txn.http:res_add_header("Access-Control-Allow-Origin", allowed_origin)
+    txn.http:res_set_header("Access-Control-Allow-Origin", allowed_origin)
   end
 end