Correct composing of multiple origins in cors (#518)

CHANGES.md

@@ -5,6 +5,7 @@
 ### Fixed
 
 * HTTP1 decoding errors are reported to the client. #512
+* Correctly compose multiple allowed origins in CORS. #517
 
 ## [0.7.8] - 2018-09-17
 

src/middleware/cors.rs

@@ -826,8 +826,8 @@ impl<S: 'static> CorsBuilder<S> {
         if let AllOrSome::Some(ref origins) = cors.origins {
             let s = origins
                 .iter()
-                .fold(String::new(), |s, v| s + &v.to_string());
+                .fold(String::new(), |s, v| format!("{}, {}", s, v));
-            cors.origins_str = Some(HeaderValue::try_from(s.as_str()).unwrap());
+            cors.origins_str = Some(HeaderValue::try_from(&s[2..]).unwrap());
         }
 
         if !self.expose_hdrs.is_empty() {
@@ -1122,16 +1122,18 @@ mod tests {
         let cors = Cors::build()
             .disable_vary_header()
             .allowed_origin("https://www.example.com")
+            .allowed_origin("https://www.google.com")
             .finish();
         let resp: HttpResponse = HttpResponse::Ok().into();
         let resp = cors.response(&req, resp).unwrap().response();
-        assert_eq!(
+
-            &b"https://www.example.com"[..],
+        let origins_str = resp.headers().get(header::ACCESS_CONTROL_ALLOW_ORIGIN).unwrap().to_str().unwrap();
-            resp.headers()
+
-                .get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
+        if origins_str.starts_with("https://www.example.com") {
-                .unwrap()
+            assert_eq!("https://www.example.com, https://www.google.com", origins_str);
-                .as_bytes()
+        } else {
-        );
+            assert_eq!("https://www.google.com, https://www.example.com", origins_str);
+        }
     }
 
     #[test]