From ffc1da55114b27b571415f1fd287dbdeda4d3a80 Mon Sep 17 00:00:00 2001
From: Martin Ficzel <ficzel@sitegeist.de>
Date: Thu, 10 Jul 2025 12:53:43 +0200
Subject: [PATCH] Handle comma separated values in
 Access-Control-Request-Headers

Not only may there be multiple Access-Control-Request-Headers, each header may contain a comma list of header names.
---
 Classes/Http/CorsHeaderMiddleware.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Classes/Http/CorsHeaderMiddleware.php b/Classes/Http/CorsHeaderMiddleware.php
index b05fb3f..647a325 100644
--- a/Classes/Http/CorsHeaderMiddleware.php
+++ b/Classes/Http/CorsHeaderMiddleware.php
@@ -319,6 +319,8 @@ private function areHeadersAllowed(array $headers): bool
         if ($this->allowedHeadersAll || $this->allowedHeaders === []) {
             return true;
         }
+        // each header may comma seperated itself
+        $headers = array_merge(...array_map(fn(string $line) => explode(',' , $line), $headers));
         foreach ($headers as $header) {
             if (!in_array($header, $this->allowedHeaders, true)) {
                 return false;