1
0
mirror of https://github.com/actix/actix-extras.git synced 2024-11-30 18:34:36 +01:00

Make request headers optional in CORS preflight (#816)

This commit is contained in:
James 2019-05-05 01:41:37 +10:00 committed by Nikolay Kim
parent fc19ce41c4
commit 7ef4f5ac0b

View File

@ -81,13 +81,6 @@ pub enum CorsError {
fmt = "The request header `Access-Control-Request-Headers` has an invalid value" fmt = "The request header `Access-Control-Request-Headers` has an invalid value"
)] )]
BadRequestHeaders, BadRequestHeaders,
/// The request header `Access-Control-Request-Headers` is required but is
/// missing.
#[display(
fmt = "The request header `Access-Control-Request-Headers` is required but is
missing"
)]
MissingRequestHeaders,
/// Origin is not allowed to make this request /// Origin is not allowed to make this request
#[display(fmt = "Origin is not allowed to make this request")] #[display(fmt = "Origin is not allowed to make this request")]
OriginNotAllowed, OriginNotAllowed,
@ -661,15 +654,18 @@ impl Inner {
Err(_) => return Err(CorsError::BadRequestHeaders), Err(_) => return Err(CorsError::BadRequestHeaders),
}; };
} }
// `Access-Control-Request-Headers` must contain 1 or more
if !hdrs.is_empty() && !hdrs.is_subset(allowed_headers) { // `field-name`.
if !hdrs.is_empty() {
if !hdrs.is_subset(allowed_headers) {
return Err(CorsError::HeadersNotAllowed); return Err(CorsError::HeadersNotAllowed);
} }
return Ok(()); return Ok(());
} }
}
Err(CorsError::BadRequestHeaders) Err(CorsError::BadRequestHeaders)
} else { } else {
Err(CorsError::MissingRequestHeaders) return Ok(());
} }
} }
} }
@ -874,6 +870,10 @@ mod tests {
let req = TestRequest::with_header("Origin", "https://www.example.com") let req = TestRequest::with_header("Origin", "https://www.example.com")
.method(Method::OPTIONS) .method(Method::OPTIONS)
.header(
header::ACCESS_CONTROL_REQUEST_HEADERS,
"X-Not-Allowed",
)
.to_srv_request(); .to_srv_request();
assert!(cors.inner.validate_allowed_method(req.head()).is_err()); assert!(cors.inner.validate_allowed_method(req.head()).is_err());
@ -887,7 +887,7 @@ mod tests {
.to_srv_request(); .to_srv_request();
assert!(cors.inner.validate_allowed_method(req.head()).is_err()); assert!(cors.inner.validate_allowed_method(req.head()).is_err());
assert!(cors.inner.validate_allowed_headers(req.head()).is_err()); assert!(cors.inner.validate_allowed_headers(req.head()).is_ok());
let req = TestRequest::with_header("Origin", "https://www.example.com") let req = TestRequest::with_header("Origin", "https://www.example.com")
.header(header::ACCESS_CONTROL_REQUEST_METHOD, "POST") .header(header::ACCESS_CONTROL_REQUEST_METHOD, "POST")