# File lib/rack/cors.rb, line 173 def to_headers(env) x_origin = env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'] h = { 'Access-Control-Allow-Origin' => origin_for_response_header(env['HTTP_ORIGIN']), 'Access-Control-Allow-Methods' => methods.collect{|m| m.to_s.upcase}.join(', '), 'Access-Control-Expose-Headers' => expose.nil? ? '' : expose.join(', '), 'Access-Control-Max-Age' => max_age.to_s } h['Access-Control-Allow-Credentials'] = 'true' if credentials h end