From 54ac80719bf7cf02099fb5e45608aca1461e2103 Mon Sep 17 00:00:00 2001
From: duonglaiquang <duonglaiquang@gmail.com>
Date: Thu, 12 Mar 2026 18:30:13 +0900
Subject: [PATCH] XMLHttpRequest: fix a bug where 'Access-Control-Allow-Origin:
 *' was not handled correctly

---
 .../javascript/host/xml/XMLHttpRequest.java   |  4 ++
 .../host/xml/XMLHttpRequestCORSTest.java      | 39 +++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/src/main/java/org/htmlunit/javascript/host/xml/XMLHttpRequest.java b/src/main/java/org/htmlunit/javascript/host/xml/XMLHttpRequest.java
index 2eae09eaa0..1581ceca11 100644
--- a/src/main/java/org/htmlunit/javascript/host/xml/XMLHttpRequest.java
+++ b/src/main/java/org/htmlunit/javascript/host/xml/XMLHttpRequest.java
@@ -1133,6 +1133,10 @@ private boolean isPreflightAuthorized(final WebResponse preflightResponse) {
             if (HttpHeader.ACCESS_CONTROL_ALLOW_HEADERS.equalsIgnoreCase(pair.getName())) {
                 String value = pair.getValue();
                 if (value != null) {
+                    if ("*".equals(value)) {
+                        // all headers are allowed
+                        return true;
+                    }
                     value = org.htmlunit.util.StringUtils.toRootLowerCase(value);
                     final String[] values = org.htmlunit.util.StringUtils.splitAtComma(value);
                     for (String part : values) {
diff --git a/src/test/java/org/htmlunit/javascript/host/xml/XMLHttpRequestCORSTest.java b/src/test/java/org/htmlunit/javascript/host/xml/XMLHttpRequestCORSTest.java
index 4aa72c905b..9b9afe4f7a 100644
--- a/src/test/java/org/htmlunit/javascript/host/xml/XMLHttpRequestCORSTest.java
+++ b/src/test/java/org/htmlunit/javascript/host/xml/XMLHttpRequestCORSTest.java
@@ -615,6 +615,45 @@ public void preflight_many_header_values() throws Exception {
         verifyTitle2(getWebDriver(), getExpectedAlerts());
     }
 
+    /**
+     * @throws Exception if the test fails.
+     */
+    @Test
+    @Alerts({"4", "200"})
+    public void preflight_wildcard_allow_headers() throws Exception {
+        expandExpectedAlertsVariables(new URL("http://localhost:" + PORT));
+
+        final String html = DOCTYPE_HTML
+                + "<html><head>\n"
+                + "<script>\n"
+                + LOG_TITLE_FUNCTION
+                + "var xhr = new XMLHttpRequest();\n"
+                + "function test() {\n"
+                + "  try {\n"
+                + "    var url = 'http://' + window.location.hostname + ':" + PORT2 + "/preflight2';\n"
+                + "    xhr.open('GET', url, false);\n"
+                + "    xhr.setRequestHeader('X-PING', 'ping');\n"
+                + "    xhr.setRequestHeader('X-PONG', 'pong');\n"
+                + "    xhr.send();\n"
+                + "    log(xhr.readyState);\n"
+                + "    log(xhr.status);\n"
+                + "  } catch(e) { logEx(e) }\n"
+                + "}\n"
+                + "</script>\n"
+                + "</head>\n"
+                + "<body onload='test()'></body></html>";
+
+        PreflightServerServlet.ACCESS_CONTROL_ALLOW_ORIGIN_ = "http://localhost:" + PORT;
+        PreflightServerServlet.ACCESS_CONTROL_ALLOW_METHODS_ = "POST, GET, OPTIONS";
+        PreflightServerServlet.ACCESS_CONTROL_ALLOW_HEADERS_ = "*";
+        final Map<String, Class<? extends Servlet>> servlets2 = new HashMap<>();
+        servlets2.put("/preflight2", PreflightServerServlet.class);
+        startWebServer2(".", servlets2);
+
+        loadPage2(html, new URL(URL_FIRST, "/preflight1"));
+        verifyTitle2(getWebDriver(), getExpectedAlerts());
+    }
+
     /**
      * @throws Exception if the test fails.
      */