XMLHttpRequest: fix a bug where 'Access-Control-Allow-Origin: *' was not handled correctly

duonglaiquang · rbri · commit 240506eee4f4 · 2026-03-12T13:06:44.000+01:00
diff --git a/src/main/java/org/htmlunit/javascript/host/xml/XMLHttpRequest.java b/src/main/java/org/htmlunit/javascript/host/xml/XMLHttpRequest.java
@@ -1133,6 +1133,10 @@ private boolean isPreflightAuthorized(final WebResponse preflightResponse) {
             if (HttpHeader.ACCESS_CONTROL_ALLOW_HEADERS.equalsIgnoreCase(pair.getName())) {
                 String value = pair.getValue();
                 if (value != null) {
+                    if ("*".equals(value)) {
+                        // all headers are allowed
+                        return true;
+                    }
                     value = org.htmlunit.util.StringUtils.toRootLowerCase(value);
                     final String[] values = org.htmlunit.util.StringUtils.splitAtComma(value);
                     for (String part : values) {
diff --git a/src/test/java/org/htmlunit/javascript/host/xml/XMLHttpRequestCORSTest.java b/src/test/java/org/htmlunit/javascript/host/xml/XMLHttpRequestCORSTest.java
@@ -615,6 +615,45 @@ public void preflight_many_header_values() throws Exception {
         verifyTitle2(getWebDriver(), getExpectedAlerts());
     }
 
+    /**
+     * @throws Exception if the test fails.
+     */
+    @Test
+    @Alerts({"4", "200"})
+    public void preflight_wildcard_allow_headers() throws Exception {
+        expandExpectedAlertsVariables(new URL("http://localhost:" + PORT));
+
+        final String html = DOCTYPE_HTML
+                + "<html><head>\n"
+                + "<script>\n"
+                + LOG_TITLE_FUNCTION
+                + "var xhr = new XMLHttpRequest();\n"
+                + "function test() {\n"
+                + "  try {\n"
+                + "    var url = 'http://' + window.location.hostname + ':" + PORT2 + "/preflight2';\n"
+                + "    xhr.open('GET', url, false);\n"
+                + "    xhr.setRequestHeader('X-PING', 'ping');\n"
+                + "    xhr.setRequestHeader('X-PONG', 'pong');\n"
+                + "    xhr.send();\n"
+                + "    log(xhr.readyState);\n"
+                + "    log(xhr.status);\n"
+                + "  } catch(e) { logEx(e) }\n"
+                + "}\n"
+                + "</script>\n"
+                + "</head>\n"
+                + "<body onload='test()'></body></html>";
+
+        PreflightServerServlet.ACCESS_CONTROL_ALLOW_ORIGIN_ = "http://localhost:" + PORT;
+        PreflightServerServlet.ACCESS_CONTROL_ALLOW_METHODS_ = "POST, GET, OPTIONS";
+        PreflightServerServlet.ACCESS_CONTROL_ALLOW_HEADERS_ = "*";
+        final Map<String, Class<? extends Servlet>> servlets2 = new HashMap<>();
+        servlets2.put("/preflight2", PreflightServerServlet.class);
+        startWebServer2(".", servlets2);
+
+        loadPage2(html, new URL(URL_FIRST, "/preflight1"));
+        verifyTitle2(getWebDriver(), getExpectedAlerts());
+    }
+
     /**
      * @throws Exception if the test fails.
      */
