Rack::Cors modifies headers to be case-sensitive, producing duplicated headers

[dgmora]

Similarly to #162, I was getting duplicated headers with Rack::Cors. Not only with Access-Control-Allow-Origin, but also with other headers. The issue is that here Rack::Cors merges the existing headers into add_headers here:

rack-cors/lib/rack/cors.rb

Lines 103 to 106 in 908ea29

	status, headers, body = @app.call env
	if add_headers
	headers = add_headers.merge(headers)

This is a problem because headers is usually a Rack::Utils::HeaderHash, which is a case-insensitive hash. By merging it into a regular hash, the headers are now case-sensitive, allowing duplicates if they have different cases.

I think this could be solved by making this hash a HeaderHash instead of a normal hash:

rack-cors/lib/rack/cors/resource.rb

Lines 61 to 70 in 908ea29

	def to_headers(env)
	h = {
	'Access-Control-Allow-Origin' => origin_for_response_header(env[Rack::Cors::HTTP_ORIGIN]),
	'Access-Control-Allow-Methods' => methods.collect { |m| m.to_s.upcase }.join(', '),
	'Access-Control-Expose-Headers' => expose.nil? ? '' : expose.join(', '),
	'Access-Control-Max-Age' => max_age.to_s
	}
	h['Access-Control-Allow-Credentials'] = 'true' if credentials
	h
	end

[cyu]

Fixed in [862a776]