From d55fc6d7f5066ce50da9beeb770b0ab8503875c9 Mon Sep 17 00:00:00 2001 From: Rob Ede Date: Sat, 6 Jan 2024 20:40:44 +0000 Subject: [PATCH] fix!(cors): default block_on_origin_mismatch to false (#379) --- actix-cors/CHANGES.md | 22 ++++++++++------------ actix-cors/src/builder.rs | 11 ++++++----- actix-cors/src/inner.rs | 1 + actix-cors/tests/tests.rs | 28 ++++++++++++++++++---------- 4 files changed, 35 insertions(+), 27 deletions(-) diff --git a/actix-cors/CHANGES.md b/actix-cors/CHANGES.md index f0809589d..757c4a7f1 100644 --- a/actix-cors/CHANGES.md +++ b/actix-cors/CHANGES.md @@ -3,6 +3,7 @@ ## Unreleased - `Cors` is now marked `#[must_use]`. +- Default for `Cors::block_on_origin_mismatch` is now false. - Minimum supported Rust version (MSRV) is now 1.75. ## 0.6.5 @@ -12,34 +13,29 @@ ## 0.6.4 -- Add `Cors::allow_private_network_access()` behind an unstable flag (`draft-private-network-access`). [#297] - -[#297]: https://github.com/actix/actix-extras/pull/297 +- Add `Cors::allow_private_network_access()` behind an unstable flag (`draft-private-network-access`). ## 0.6.3 -- Add `Cors::block_on_origin_mismatch()` option for controlling if requests are pre-emptively rejected. [#287] +- Add `Cors::block_on_origin_mismatch()` option for controlling if requests are pre-emptively rejected. - Minimum supported Rust version (MSRV) is now 1.59 due to transitive `time` dependency. -[#287]: https://github.com/actix/actix-extras/pull/287 - ## 0.6.2 -- Fix `expose_any_header` to return list of response headers. [#273] +- Fix `expose_any_header` to return list of response headers. - Minimum supported Rust version (MSRV) is now 1.57 due to transitive `time` dependency. -[#273]: https://github.com/actix/actix-extras/pull/273 - ## 0.6.1 -- Do not consider requests without a `Access-Control-Request-Method` as preflight. [#226] - -[#226]: https://github.com/actix/actix-extras/pull/226 +- Do not consider requests without a `Access-Control-Request-Method` as preflight. ## 0.6.0 - Update `actix-web` dependency to 4.0. +
+0.6.0 pre-releases + ## 0.6.0-beta.10 - Ensure that preflight responses contain a `Vary` header. [#224] @@ -99,6 +95,8 @@ - Update `actix-web` dependency to 4.0.0 beta. - Minimum supported Rust version (MSRV) is now 1.46.0. +
+ ## 0.5.4 - Fix `expose_any_header` method, now set the correct field. [#143] diff --git a/actix-cors/src/builder.rs b/actix-cors/src/builder.rs index 2472cfec1..5ff087256 100644 --- a/actix-cors/src/builder.rs +++ b/actix-cors/src/builder.rs @@ -115,7 +115,7 @@ impl Cors { #[cfg(feature = "draft-private-network-access")] allow_private_network_access: false, vary_header: true, - block_on_origin_mismatch: true, + block_on_origin_mismatch: false, }; Cors { @@ -477,7 +477,7 @@ impl Cors { /// and block requests based on pre-flight requests. Use this setting to allow cURL and other /// non-browser HTTP clients to function as normal, no matter what `Origin` the request has. /// - /// Defaults to true. + /// Defaults to false. pub fn block_on_origin_mismatch(mut self, block: bool) -> Cors { if let Some(cors) = cors(&mut self.inner, &self.error) { cors.block_on_origin_mismatch = block; @@ -513,7 +513,7 @@ impl Default for Cors { #[cfg(feature = "draft-private-network-access")] allow_private_network_access: false, vary_header: true, - block_on_origin_mismatch: true, + block_on_origin_mismatch: false, }; Cors { @@ -646,8 +646,9 @@ mod test { .insert_header(("Origin", "https://www.example.com")) .to_srv_request(); - let resp = test::call_service(&cors, req).await; - assert_eq!(resp.status(), StatusCode::BAD_REQUEST); + let res = test::call_service(&cors, req).await; + assert_eq!(res.status(), StatusCode::OK); + assert!(!res.headers().contains_key("Access-Control-Allow-Origin")); } #[actix_web::test] diff --git a/actix-cors/src/inner.rs b/actix-cors/src/inner.rs index eb9b7ec27..786849acb 100644 --- a/actix-cors/src/inner.rs +++ b/actix-cors/src/inner.rs @@ -266,6 +266,7 @@ mod test { async fn test_validate_not_allowed_origin() { let cors = Cors::default() .allowed_origin("https://www.example.com") + .block_on_origin_mismatch(true) .new_transform(test::ok_service()) .await .unwrap(); diff --git a/actix-cors/tests/tests.rs b/actix-cors/tests/tests.rs index e5943b19d..ddc6ba680 100644 --- a/actix-cors/tests/tests.rs +++ b/actix-cors/tests/tests.rs @@ -382,12 +382,13 @@ async fn test_blocks_mismatched_origin_by_default() { .to_srv_request(); let res = test::call_service(&cors, req).await; - assert_eq!(res.status(), StatusCode::BAD_REQUEST); - assert_eq!(res.headers().get(header::ACCESS_CONTROL_ALLOW_ORIGIN), None); - assert!(res + assert_eq!(res.status(), StatusCode::OK); + assert!(!res .headers() - .get(header::ACCESS_CONTROL_ALLOW_METHODS) - .is_none()); + .contains_key(header::ACCESS_CONTROL_ALLOW_ORIGIN)); + assert!(!res + .headers() + .contains_key(header::ACCESS_CONTROL_ALLOW_METHODS)); } #[actix_web::test] @@ -529,16 +530,23 @@ async fn vary_header_on_all_handled_responses() { .await .unwrap(); - // regular request bad origin + // regular request OK with no CORS response headers let req = TestRequest::default() .method(Method::PUT) .insert_header((header::ORIGIN, "https://www.example.com")) .to_srv_request(); - let resp = test::call_service(&cors, req).await; - assert_eq!(resp.status(), StatusCode::BAD_REQUEST); + let res = test::call_service(&cors, req).await; + assert_eq!(res.status(), StatusCode::OK); + assert!(!res + .headers() + .contains_key(header::ACCESS_CONTROL_ALLOW_ORIGIN)); + assert!(!res + .headers() + .contains_key(header::ACCESS_CONTROL_ALLOW_METHODS)); + #[cfg(not(feature = "draft-private-network-access"))] assert_eq!( - resp.headers() + res.headers() .get(header::VARY) .expect("response should have Vary header") .to_str() @@ -547,7 +555,7 @@ async fn vary_header_on_all_handled_responses() { ); #[cfg(feature = "draft-private-network-access")] assert_eq!( - resp.headers() + res.headers() .get(header::VARY) .expect("response should have Vary header") .to_str()