mirror of
https://github.com/actix/actix-extras.git
synced 2024-11-30 18:34:36 +01:00
Make request headers optional in CORS preflight (#816)
This commit is contained in:
parent
fc19ce41c4
commit
7ef4f5ac0b
@ -81,13 +81,6 @@ pub enum CorsError {
|
|||||||
fmt = "The request header `Access-Control-Request-Headers` has an invalid value"
|
fmt = "The request header `Access-Control-Request-Headers` has an invalid value"
|
||||||
)]
|
)]
|
||||||
BadRequestHeaders,
|
BadRequestHeaders,
|
||||||
/// The request header `Access-Control-Request-Headers` is required but is
|
|
||||||
/// missing.
|
|
||||||
#[display(
|
|
||||||
fmt = "The request header `Access-Control-Request-Headers` is required but is
|
|
||||||
missing"
|
|
||||||
)]
|
|
||||||
MissingRequestHeaders,
|
|
||||||
/// Origin is not allowed to make this request
|
/// Origin is not allowed to make this request
|
||||||
#[display(fmt = "Origin is not allowed to make this request")]
|
#[display(fmt = "Origin is not allowed to make this request")]
|
||||||
OriginNotAllowed,
|
OriginNotAllowed,
|
||||||
@ -661,15 +654,18 @@ impl Inner {
|
|||||||
Err(_) => return Err(CorsError::BadRequestHeaders),
|
Err(_) => return Err(CorsError::BadRequestHeaders),
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
// `Access-Control-Request-Headers` must contain 1 or more
|
||||||
if !hdrs.is_empty() && !hdrs.is_subset(allowed_headers) {
|
// `field-name`.
|
||||||
|
if !hdrs.is_empty() {
|
||||||
|
if !hdrs.is_subset(allowed_headers) {
|
||||||
return Err(CorsError::HeadersNotAllowed);
|
return Err(CorsError::HeadersNotAllowed);
|
||||||
}
|
}
|
||||||
return Ok(());
|
return Ok(());
|
||||||
}
|
}
|
||||||
|
}
|
||||||
Err(CorsError::BadRequestHeaders)
|
Err(CorsError::BadRequestHeaders)
|
||||||
} else {
|
} else {
|
||||||
Err(CorsError::MissingRequestHeaders)
|
return Ok(());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -874,6 +870,10 @@ mod tests {
|
|||||||
|
|
||||||
let req = TestRequest::with_header("Origin", "https://www.example.com")
|
let req = TestRequest::with_header("Origin", "https://www.example.com")
|
||||||
.method(Method::OPTIONS)
|
.method(Method::OPTIONS)
|
||||||
|
.header(
|
||||||
|
header::ACCESS_CONTROL_REQUEST_HEADERS,
|
||||||
|
"X-Not-Allowed",
|
||||||
|
)
|
||||||
.to_srv_request();
|
.to_srv_request();
|
||||||
|
|
||||||
assert!(cors.inner.validate_allowed_method(req.head()).is_err());
|
assert!(cors.inner.validate_allowed_method(req.head()).is_err());
|
||||||
@ -887,7 +887,7 @@ mod tests {
|
|||||||
.to_srv_request();
|
.to_srv_request();
|
||||||
|
|
||||||
assert!(cors.inner.validate_allowed_method(req.head()).is_err());
|
assert!(cors.inner.validate_allowed_method(req.head()).is_err());
|
||||||
assert!(cors.inner.validate_allowed_headers(req.head()).is_err());
|
assert!(cors.inner.validate_allowed_headers(req.head()).is_ok());
|
||||||
|
|
||||||
let req = TestRequest::with_header("Origin", "https://www.example.com")
|
let req = TestRequest::with_header("Origin", "https://www.example.com")
|
||||||
.header(header::ACCESS_CONTROL_REQUEST_METHOD, "POST")
|
.header(header::ACCESS_CONTROL_REQUEST_METHOD, "POST")
|
||||||
|
Loading…
Reference in New Issue
Block a user