Panic on wildcard in Cors builder's allowed_origin() (#114)

* Assert allowed origin in Cors builder * Add panic test for wildcard * Add changelog entry * rustfmt * Apply suggestions from code review Co-authored-by: Rob Ede <robjtede@icloud.com> Co-authored-by: Rob Ede <robjtede@icloud.com>
2025-06-26 10:27:42 +02:00 · 2020-10-10 20:25:33 +07:00
parent 134e43ab5e
commit 06f17ec223
3 changed files with 23 additions and 1 deletions
--- a/actix-cors/src/builder.rs
+++ b/actix-cors/src/builder.rs
@ -115,10 +115,18 @@ impl Cors {
    /// `allowed_origin_fn` function is set, these functions will be used to determinate
    /// allowed origins.
    ///
-    /// Builder panics if supplied origin is not valid uri.
+    /// # Panics
+    ///
+    /// * If supplied origin is not valid uri, or
+    /// * If supplied origin is a wildcard (`*`). [`Cors::send_wildcard`] should be used instead.
    ///
    /// [Fetch Standard]: https://fetch.spec.whatwg.org/#origin-header
    pub fn allowed_origin(mut self, origin: &str) -> Cors {
+        assert!(
+            origin != "*",
+            "Wildcard in `allowed_origin` is not allowed. Use `send_wildcard`."
+        );
+
        if let Some(cors) = cors(&mut self.cors, &self.error) {
            match TryInto::<Uri>::try_into(origin) {
                Ok(_) => {