Wrong CORS headers when duplicate header in Access-Control-Request-Headers in v0.40.8

[wewelll]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

Today I've tried to update oatheeper from v0.40.7 to v0.40.8. I'm using as API gateway in front of my backend services.

It created a very odd bug for Firefox users: the CORS headers stopped working for them. But everything was working correctly on Google Chrome...

I reproduced the bug in my local environment, and did a bit of debugging to understand what is going on.
It seems that in the v0.40.8 Oathkeeper does not return the expected CORS headers if they're duplicated.

For instance if I have a header Access-Control-Request-Headers: b3,traceparent,x-b3-sampled,x-b3-spanid,x-b3-traceid it will work, but if I have Access-Control-Request-Headers: b3,b3,traceparent,x-b3-sampled,x-b3-spanid,x-b3-traceid it won't work.

The only difference is that the b3 is duplicated in the second version. I don't know why the b3 is duplicated by the way and I don't have control over it. But the server should still return the correct CORS headers even when the header is duplicated.

Reproducing the bug

When I run this it works

  curl http://localhost:4455/v0/identity/073f80e1-3363-40dc-9292-62ceaf75a34a \
   -X OPTIONS \
   -H "Access-Control-Request-Method: GET" \
   -H "Access-Control-Request-Headers: b3,traceparent,x-b3-sampled,x-b3-spanid,x-b3-traceid" \
   -H "Origin: http://localhost:4000" \
   -v
* Host localhost:4455 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:4455...
* Connected to localhost (::1) port 4455
> OPTIONS /v0/identity/073f80e1-3363-40dc-9292-62ceaf75a34a HTTP/1.1
> Host: localhost:4455
> User-Agent: curl/8.7.1
> Accept: */*
> Access-Control-Request-Method: GET
> Access-Control-Request-Headers: b3,traceparent,x-b3-sampled,x-b3-spanid,x-b3-traceid
> Origin: http://localhost:4000
>
* Request completely sent off
< HTTP/1.1 204 No Content
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: b3,traceparent,x-b3-sampled,x-b3-spanid,x-b3-traceid
< Access-Control-Allow-Methods: GET
< Access-Control-Allow-Origin: http://localhost:4000
< Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
< Date: Thu, 26 Dec 2024 21:17:52 GMT
<
* Connection #0 to host localhost left intact

But if I run this it does not work

 curl http://localhost:4455/v0/identity/073f80e1-3363-40dc-9292-62ceaf75a34a \
   -X OPTIONS \
   -H "Access-Control-Request-Method: GET" \
   -H "Access-Control-Request-Headers: b3,b3,traceparent,x-b3-sampled,x-b3-spanid,x-b3-traceid" \
   -H "Origin: http://localhost:4000" \
   -v
* Host localhost:4455 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:4455...
* Connected to localhost (::1) port 4455
> OPTIONS /v0/identity/073f80e1-3363-40dc-9292-62ceaf75a34a HTTP/1.1
> Host: localhost:4455
> User-Agent: curl/8.7.1
> Accept: */*
> Access-Control-Request-Method: GET
> Access-Control-Request-Headers: b3,b3,traceparent,x-b3-sampled,x-b3-spanid,x-b3-traceid
> Origin: http://localhost:4000
>
* Request completely sent off
< HTTP/1.1 204 No Content
< Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
< Date: Thu, 26 Dec 2024 21:17:43 GMT
<
* Connection #0 to host localhost left intact

Relevant log output

No response

Relevant configuration

No response

Version

v0.40.8

On which operating system are you observing this issue?

None

In which environment are you deploying?

Ory Network

Additional Context

No response

[aeneasr]

Unfortunately I have no idea what could cause this.

[wewelll]

it could come from this middleware : https://github.com/ory/x/blob/master/corsx/middleware.go