[BUG] Allowing methods that are not uppercase should be possible but isn't

[jub0bs]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Although method names are case-sensitive, Gorilla's CORS middleware takes the non-standard approach of normalising method names by uppercasing them. Such unwarranted case normalisation causes problems for clients that send requests whose method is not uppercase—and not some case-insensitive match for one of DELETE, GET, HEAD, OPTIONS, POST, or PUT, names for which the Fetch standard carves out an exception.

Expected Behavior

Gorilla should not normalise the case of allowed method names.

Steps To Reproduce

Here is a (failing) test case that illustrates the problem:

func TestHandlePreflightLowercaseAllowedMethod(t *testing.T) {
	const (
		origin = "https://foo.com"
		method = "patch"
	)
	req, _ := http.NewRequest(http.MethodOptions, "http://example.com/foo", nil)
	req.Header.Add("Origin", origin)
	req.Header.Add("Access-Control-Request-Method", method)

	rr := httptest.NewRecorder()

	testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})

	cors := CORS(
		AllowedOrigins([]string{origin}),
		AllowedMethods([]string{method}),
	)
	cors(testHandler).ServeHTTP(rr, req)
	resp := rr.Result()

	if got, want := resp.StatusCode, http.StatusOK; got != want {
		t.Errorf("bad status: got %v want %v", got, want)
	}

	header := resp.Header.Get(corsAllowMethodsHeader)
	if got, want := header, method; got != want {
		t.Errorf("bad header: expected %q method header, got %q", want, got)
	}
}

Current result:

$ go test -run ^TestHandlePreflightLowercaseAllowedMethod$ github.com/gorilla/handlers
--- FAIL: TestHandlePreflightLowercaseAllowedMethod (0.00s)
    cors_test.go:210: bad status: got 405 want 200
    cors_test.go:215: bad header: expected "patch" method header, got ""
FAIL
FAIL    github.com/gorilla/handlers     0.790s
FAIL

Anything else?

More about this topic in one of my recent blog posts.