Change from space-speparated to comma-speparated

To better match the CORS specification.  It doesn't really matter, but
it is nice to have the configuration match the spec when possible.

README.md

@@ -17,8 +17,9 @@ require "sinatra"
 require "sinatra/cors"
 
 set :allow_origin, "http://example.com http://foo.com"
-set :allow_methods, "GET HEAD POST"
-set :allow_headers, "content-type"
+set :allow_methods, "GET,HEAD,POST"
+set :allow_headers, "content-type,if-modified-since"
+set :expose_headers, "location,link"
 
 get "/foo" do
   "foo"
@@ -35,8 +36,9 @@ class Foo < Sinatra::Base
   register Sinatra::Cors
 
   set :allow_origin, "http://example.com http://foo.com"
-  set :allow_methods, "GET HEAD POST"
-  set :allow_headers, "content-type"
+  set :allow_methods, "GET,HEAD,POST"
+  set :allow_headers, "content-type,if-modified-since"
+  set :expose_headers, "location,link"
 
   get "/foo" do
     "foo"
@@ -47,12 +49,8 @@ end
 Settings
 --------
 * **allow_origin**: A space-separated list of allowed origins. (Example: "https://example.com")
-* **allow_methods**: A space-separated list of allowed methods. (Example: "GET HEAD POST")
-* **allow_headers**: A space-spearated list of allowed request headers. (Example: "content-type")
+* **allow_methods**: A comma-separated list of allowed methods. (Example: "GET,HEAD,POST")
+* **allow_headers**: A comma-spearated list of allowed request headers. (Example: "content-type,if-modified-since")
 * **max_age**: The number of seconds you allow the client to cache a preflight response (Example: "500")
-* **expose_headers**: A space-separated list of response headers the client will have access to. (Example: "location link")
+* **expose_headers**: A comma-separated list of response headers the client will have access to. (Example: "location,link")
 * **allow_credentials**: If true, it will allow actual requests to send things like cookies, HTTP authentication, and client-side SSL certificates. (Example: true)
-
-Comming Soon
-------------
-* Route specific settings

lib/sinatra/cors.rb

@@ -42,19 +42,20 @@ def is_preflight_request?
       end
 
       def method_is_allowed?
-        allow_methods = settings.allow_methods.split & response.headers["Allow"].split
-        request_method = request.env["HTTP_ACCESS_CONTROL_REQUEST_METHOD"]
-        allow_methods.include? request_method
+        allow_methods =
+          settings.allow_methods.upcase.split(/\s*,\s*/) &
+          response.headers["Allow"].upcase.split(/\s*,\s*/)
+        allow_methods.include? request.env["HTTP_ACCESS_CONTROL_REQUEST_METHOD"].upcase
       end
 
       def headers_are_allowed?
         allow_headers = settings.allow_headers
         request_headers = request.env["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"] || ""
-        (request_headers.split - allow_headers.split).empty?
+        (request_headers.downcase.split(/\s*,\s*/) - allow_headers.downcase.split(/\s*,\s*/)).empty?
       end
 
       def origin_is_allowed?
-        settings.allow_origin == "*" || settings.allow_origin.split.include?(request.env["HTTP_ORIGIN"])
+        settings.allow_origin == "*" || settings.allow_origin.downcase.split.include?(request.env["HTTP_ORIGIN"])
       end
 
       def allowed_methods
@@ -110,7 +111,7 @@ def self.registered(app)
 
         pass if allow.size == 1
 
-        response.headers["Allow"] = allow.join " "
+        response.headers["Allow"] = allow.join ","
       end
 
       app.after do

sinatra-cors.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
   s.name = "sinatra-cors"
-  s.version = "1.0.0"
-  s.date = "2017-07-25"
+  s.version = "1.0.1"
+  s.date = "2017-07-29"
   s.summary = "CORS support for Sinatra applications"
   s.description = <<-EOT
 This Sinatra plugin supports the full CORS spec including automatic support for CORS preflight (OPTIONS) requests.  It uses CORS security best practices.  The plugin logs to the default logger to guide you in setting things up properly.  It will tell you why a CORS request failed and tell you how to fix it.

spec/cors_spec.rb

@@ -62,7 +62,7 @@ def app
     end
 
     it "should have an Allow header build from existing routes" do
-      expect(last_response["Allow"]).to eq("OPTIONS GET HEAD DELETE")
+      expect(last_response["Allow"]).to eq("OPTIONS,GET,HEAD,DELETE")
     end
 
     it "should have an Access-Control-Allow-Methods header that includes only the method requested" do
@@ -163,13 +163,13 @@ def make_request(allow_origin)
     end
 
     it "should be set to the value of the :expose_headers setting" do
-      Sinatra::Application.set :expose_headers, "location link"
+      Sinatra::Application.set :expose_headers, "location,link"
       rack_env = {
         "HTTP_ORIGIN" => "http://example.com",
       }
       get "/foo/1", {}, rack_env
 
-      expect(last_response["Access-Control-Expose-Headers"]).to eq("location link")
+      expect(last_response["Access-Control-Expose-Headers"]).to eq("location,link")
     end
   end
 end

spec/fixture.rb

@@ -2,8 +2,9 @@
 require "./lib/sinatra/cors"
 
 set :allow_origin, "http://example.com http://foo.com"
-set :allow_methods, "GET HEAD POST"
-set :allow_headers, "content-type if-modified-since"
+set :allow_methods, "GET,HEAD,POST"
+set :allow_headers, "content-type,if-modified-since"
+set :expose_headers, "location,link"
 
 get "/foo/:id" do
   "foo"