Research: CORS Header Case Sensitivity in Supabase Edge Functions (RFC 7230 Compliance) #729
Description
Research: CORS Header Case Sensitivity in Supabase Edge Functions
Issue Summary
We encountered a CORS preflight error where Supabase Edge Functions appear to be doing case-sensitive comparison of headers in Access-Control-Allow-Headers, which violates RFC 7230 (HTTP headers should be case-insensitive).
The Problem
- Frontend sends:
X-Idempotency-Key(capital X, capital I, capital K) - CORS config had:
x-idempotency-key(all lowercase) - Result: CORS preflight fails with "Request header field x-idempotency-key is not allowed"
Expected Behavior (Per RFC 7230)
HTTP header field names are case-insensitive. The CORS spec inherits this, so X-Idempotency-Key and x-idempotency-key should be treated as identical.
Current Workaround
We're including both cases in our CORS headers config:
'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type, x-idempotency-key, X-Idempotency-Key'Questions to Research
1. Is this a known issue?
- Check Supabase GitHub issues
- Check Deno GitHub issues (since Edge Functions run on Deno)
- Search Discord/community forums
2. Where does the bug originate?
- Supabase Edge Functions runtime?
- Deno's HTTP server implementation?
- The CORS handling library?
3. Has anyone else encountered this?
- Look for similar workarounds in other projects
- Check if there are existing bug reports
4. Should we file an issue?
- With Supabase?
- With Deno?
- Both?
Research Links
- https://github.com/supabase/supabase/issues
- https://github.com/denoland/deno/issues
- https://discord.com/invite/supabase
- https://github.com/supabase/edge-runtime
- https://community.supabase.com/
Test Case to Reproduce
// Frontend sends:
fetch('https://xxx.supabase.co/functions/v1/queue-event', {
headers: {
'X-Idempotency-Key': 'test-123', // Capital letters
'Content-Type': 'application/json'
},
method: 'POST',
body: JSON.stringify({test: true})
})
// Edge Function CORS config:
export const corsHeaders = {
'Access-Control-Allow-Origin': '*',
'Access-Control-Allow-Headers': 'x-idempotency-key' // Lowercase only
}
// Result: CORS preflight failsRFC References
- RFC 7230 Section 3.2: "Each header field consists of a case-insensitive field name..."
- CORS Spec: Inherits HTTP header case-insensitivity
Action Items
- Search existing issues in Supabase repo
- Search existing issues in Deno repo
- Post in Supabase Discord to see if others have encountered this
- Create minimal reproduction example
- File issue if not already reported
- Link issue in our code comment for tracking