From 305ed5d3fa4ad970930f513e16d700998b45709a Mon Sep 17 00:00:00 2001
From: Stuart Clark <stu@rtclark.net>
Date: Mon, 18 Aug 2025 09:48:39 +1000
Subject: [PATCH 1/2] feat(#3541756): set default CORS allowedHeaders.

---
 src/DruxtServiceProvider.php                 | 7 +++++++
 tests/src/Functional/CorsIntegrationTest.php | 1 +
 2 files changed, 8 insertions(+)

diff --git a/src/DruxtServiceProvider.php b/src/DruxtServiceProvider.php
index 9e1ef89..6a67058 100644
--- a/src/DruxtServiceProvider.php
+++ b/src/DruxtServiceProvider.php
@@ -16,7 +16,14 @@ class DruxtServiceProvider implements ServiceModifierInterface {
   public function alter(ContainerBuilder $container) {
     $cors_config = $container->getParameter('cors.config');
     if (!$cors_config['enabled']) {
+      // Enable CORS by default.
       $cors_config['enabled'] = TRUE;
+
+      // Set allowed headers to '*' by default.
+      if (count($cors_config['allowedHeaders']) === 0) {
+        $cors_config['allowedHeaders'][] = '*';
+      }
+
       $container->setParameter('cors.config', $cors_config);
     }
   }
diff --git a/tests/src/Functional/CorsIntegrationTest.php b/tests/src/Functional/CorsIntegrationTest.php
index e4d9cf6..002703e 100644
--- a/tests/src/Functional/CorsIntegrationTest.php
+++ b/tests/src/Functional/CorsIntegrationTest.php
@@ -27,6 +27,7 @@ class CorsIntegrationTest extends BrowserTestBase {
   public function testCrossSiteRequestEnabled() {
     $cors_config = $this->container->getParameter('cors.config');
     $this->assertTrue($cors_config['enabled']);
+    $this->assertEquals($cors_config['allowedHeaders'][0], '*');
   }
 
 }

From 1acf481ff804f776e62eca8c6fadab9b5771d17f Mon Sep 17 00:00:00 2001
From: Stuart Clark <stu@rtclark.net>
Date: Mon, 18 Aug 2025 10:08:47 +1000
Subject: [PATCH 2/2] chore(#3541756): update code per review.

---
 src/DruxtServiceProvider.php                 | 6 +++---
 tests/src/Functional/CorsIntegrationTest.php | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/DruxtServiceProvider.php b/src/DruxtServiceProvider.php
index 6a67058..be3f995 100644
--- a/src/DruxtServiceProvider.php
+++ b/src/DruxtServiceProvider.php
@@ -19,9 +19,9 @@ public function alter(ContainerBuilder $container) {
       // Enable CORS by default.
       $cors_config['enabled'] = TRUE;
 
-      // Set allowed headers to '*' by default.
-      if (count($cors_config['allowedHeaders']) === 0) {
-        $cors_config['allowedHeaders'][] = '*';
+      // Set allowed headers to '*' by default when empty/undefined.
+      if (empty($cors_config['allowedHeaders'])) {
+        $cors_config['allowedHeaders'] = ['*'];
       }
 
       $container->setParameter('cors.config', $cors_config);
diff --git a/tests/src/Functional/CorsIntegrationTest.php b/tests/src/Functional/CorsIntegrationTest.php
index 002703e..927debb 100644
--- a/tests/src/Functional/CorsIntegrationTest.php
+++ b/tests/src/Functional/CorsIntegrationTest.php
@@ -27,7 +27,7 @@ class CorsIntegrationTest extends BrowserTestBase {
   public function testCrossSiteRequestEnabled() {
     $cors_config = $this->container->getParameter('cors.config');
     $this->assertTrue($cors_config['enabled']);
-    $this->assertEquals($cors_config['allowedHeaders'][0], '*');
+    $this->assertContains('*', $cors_config['allowedHeaders']);
   }
 
 }