CORS: Allow any header for the simmetry with anyHost

[y9san9]

Subsystem
Server: CORS

Motivation
There is a function to allow any host (anyHost). Since 2016 it is allowed to pass '*' to headers as well: whatwg/fetch#251. I expect to have anyHeader.

Solution
Added the function.

[coderabbitai]

Walkthrough

A new public method anyHeader() was added to the CORSConfig class. This method configures CORS to permit any header in actual requests by enabling non-simple content types and registering a wildcard header entry.

Changes

Cohort / File(s)	Summary of changes
CORS anyHeader API ktor-server/ktor-server-plugins/ktor-server-cors/common/src/io/ktor/server/plugins/cors/CORSConfig.kt	Added public method anyHeader() to enable any header for CORS requests by setting allowNonSimpleContentTypes to true and adding "*" to the headers set.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5–10 minutes

• Verify the method implementation correctly sets allowNonSimpleContentTypes and adds the wildcard header entry
• Confirm alignment with existing CORS configuration patterns in the class
• Check for adequate inline documentation or usage guidance

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding an anyHeader() method to match the existing anyHost() functionality in CORS configuration.
Description check	✅ Passed	The description follows the template structure and provides clear motivation (symmetry with anyHost and spec compliance) and solution (added the function).
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e081285 and 111303f.

📒 Files selected for processing (1)

• ktor-server/ktor-server-plugins/ktor-server-cors/common/src/io/ktor/server/plugins/cors/CORSConfig.kt (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.kt

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.kt: Follow Kotlin official style guide (https://kotlinlang.org/docs/coding-conventions.html)
Use star imports for io.ktor.* packages
Document all public APIs including parameters, return types, and exceptions
Mark internal APIs with @InternalAPI annotation
Run ./gradlew lintKotlin and fix all linting issues before giving control back to the user
Use ./gradlew formatKotlin to automatically fix formatting issues
Run ./gradlew updateLegacyAbi after making ABI changes to update ABI signature files
Binary compatibility is enforced - all public API changes must be tracked in the /api/ directories
Validate ABI with ./gradlew checkLegacyAbi and update with ./gradlew updateLegacyAbi
API changes must be intentional and well-documented
Error handling follows Kotlin conventions with specific Ktor exceptions

Files:

• ktor-server/ktor-server-plugins/ktor-server-cors/common/src/io/ktor/server/plugins/cors/CORSConfig.kt

🧠 Learnings (1)

📚 Learning: 2025-05-30T06:45:52.309Z

Learnt from: rururux
Repo: ktorio/ktor PR: 4896
File: ktor-client/ktor-client-core/jvm/test/FileStorageTest.kt:1-12
Timestamp: 2025-05-30T06:45:52.309Z
Learning: The headersOf() function from io.ktor.http package is available through wildcard imports like `import io.ktor.http.*`, so no explicit import statement is needed when using wildcard imports from that package.

Applied to files:

• ktor-server/ktor-server-plugins/ktor-server-cors/common/src/io/ktor/server/plugins/cors/CORSConfig.kt

🔇 Additional comments (1)

ktor-server/ktor-server-plugins/ktor-server-cors/common/src/io/ktor/server/plugins/cors/CORSConfig.kt (1)

260-268: New anyHeader() API looks correct and consistent with existing CORS config

The implementation matches the intent: it enables non‑simple content types and registers "*" in headers, mirroring the existing anyHost() pattern and giving a clear, opt‑in “allow any header” switch. KDoc is present and aligned with neighboring APIs.

Two follow‑ups to keep in mind:

• Since this is a new public API on CORSConfig, ensure the ABI metadata is updated and passing: run ./gradlew checkLegacyAbi and, if needed, ./gradlew updateLegacyAbi and commit the updated /api files.
• As per project conventions, re‑run ./gradlew lintKotlin (and ./gradlew formatKotlin if necessary) to confirm there are no style or inspection regressions around this change.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[bjhham]

Please introduce a test in io.ktor.tests.server.plugins.CORSTest for the new behaviour.

It looks like this will respond with a forbidden from using the headers field instead of headerPredicates. Check out io.ktor.server.plugins.cors.CORSUtilsKt#corsCheckRequestHeaders.