mirror of
https://github.com/actix/actix-extras.git
synced 2024-11-27 09:12:57 +01:00
fix!(cors): default block_on_origin_mismatch to false (#379)
This commit is contained in:
parent
e2bf504055
commit
d55fc6d7f5
@ -3,6 +3,7 @@
|
|||||||
## Unreleased
|
## Unreleased
|
||||||
|
|
||||||
- `Cors` is now marked `#[must_use]`.
|
- `Cors` is now marked `#[must_use]`.
|
||||||
|
- Default for `Cors::block_on_origin_mismatch` is now false.
|
||||||
- Minimum supported Rust version (MSRV) is now 1.75.
|
- Minimum supported Rust version (MSRV) is now 1.75.
|
||||||
|
|
||||||
## 0.6.5
|
## 0.6.5
|
||||||
@ -12,34 +13,29 @@
|
|||||||
|
|
||||||
## 0.6.4
|
## 0.6.4
|
||||||
|
|
||||||
- Add `Cors::allow_private_network_access()` behind an unstable flag (`draft-private-network-access`). [#297]
|
- Add `Cors::allow_private_network_access()` behind an unstable flag (`draft-private-network-access`).
|
||||||
|
|
||||||
[#297]: https://github.com/actix/actix-extras/pull/297
|
|
||||||
|
|
||||||
## 0.6.3
|
## 0.6.3
|
||||||
|
|
||||||
- Add `Cors::block_on_origin_mismatch()` option for controlling if requests are pre-emptively rejected. [#287]
|
- Add `Cors::block_on_origin_mismatch()` option for controlling if requests are pre-emptively rejected.
|
||||||
- Minimum supported Rust version (MSRV) is now 1.59 due to transitive `time` dependency.
|
- Minimum supported Rust version (MSRV) is now 1.59 due to transitive `time` dependency.
|
||||||
|
|
||||||
[#287]: https://github.com/actix/actix-extras/pull/287
|
|
||||||
|
|
||||||
## 0.6.2
|
## 0.6.2
|
||||||
|
|
||||||
- Fix `expose_any_header` to return list of response headers. [#273]
|
- Fix `expose_any_header` to return list of response headers.
|
||||||
- Minimum supported Rust version (MSRV) is now 1.57 due to transitive `time` dependency.
|
- Minimum supported Rust version (MSRV) is now 1.57 due to transitive `time` dependency.
|
||||||
|
|
||||||
[#273]: https://github.com/actix/actix-extras/pull/273
|
|
||||||
|
|
||||||
## 0.6.1
|
## 0.6.1
|
||||||
|
|
||||||
- Do not consider requests without a `Access-Control-Request-Method` as preflight. [#226]
|
- Do not consider requests without a `Access-Control-Request-Method` as preflight.
|
||||||
|
|
||||||
[#226]: https://github.com/actix/actix-extras/pull/226
|
|
||||||
|
|
||||||
## 0.6.0
|
## 0.6.0
|
||||||
|
|
||||||
- Update `actix-web` dependency to 4.0.
|
- Update `actix-web` dependency to 4.0.
|
||||||
|
|
||||||
|
<details>
|
||||||
|
<summary>0.6.0 pre-releases</summary>
|
||||||
|
|
||||||
## 0.6.0-beta.10
|
## 0.6.0-beta.10
|
||||||
|
|
||||||
- Ensure that preflight responses contain a `Vary` header. [#224]
|
- Ensure that preflight responses contain a `Vary` header. [#224]
|
||||||
@ -99,6 +95,8 @@
|
|||||||
- Update `actix-web` dependency to 4.0.0 beta.
|
- Update `actix-web` dependency to 4.0.0 beta.
|
||||||
- Minimum supported Rust version (MSRV) is now 1.46.0.
|
- Minimum supported Rust version (MSRV) is now 1.46.0.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
## 0.5.4
|
## 0.5.4
|
||||||
|
|
||||||
- Fix `expose_any_header` method, now set the correct field. [#143]
|
- Fix `expose_any_header` method, now set the correct field. [#143]
|
||||||
|
@ -115,7 +115,7 @@ impl Cors {
|
|||||||
#[cfg(feature = "draft-private-network-access")]
|
#[cfg(feature = "draft-private-network-access")]
|
||||||
allow_private_network_access: false,
|
allow_private_network_access: false,
|
||||||
vary_header: true,
|
vary_header: true,
|
||||||
block_on_origin_mismatch: true,
|
block_on_origin_mismatch: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
Cors {
|
Cors {
|
||||||
@ -477,7 +477,7 @@ impl Cors {
|
|||||||
/// and block requests based on pre-flight requests. Use this setting to allow cURL and other
|
/// and block requests based on pre-flight requests. Use this setting to allow cURL and other
|
||||||
/// non-browser HTTP clients to function as normal, no matter what `Origin` the request has.
|
/// non-browser HTTP clients to function as normal, no matter what `Origin` the request has.
|
||||||
///
|
///
|
||||||
/// Defaults to true.
|
/// Defaults to false.
|
||||||
pub fn block_on_origin_mismatch(mut self, block: bool) -> Cors {
|
pub fn block_on_origin_mismatch(mut self, block: bool) -> Cors {
|
||||||
if let Some(cors) = cors(&mut self.inner, &self.error) {
|
if let Some(cors) = cors(&mut self.inner, &self.error) {
|
||||||
cors.block_on_origin_mismatch = block;
|
cors.block_on_origin_mismatch = block;
|
||||||
@ -513,7 +513,7 @@ impl Default for Cors {
|
|||||||
#[cfg(feature = "draft-private-network-access")]
|
#[cfg(feature = "draft-private-network-access")]
|
||||||
allow_private_network_access: false,
|
allow_private_network_access: false,
|
||||||
vary_header: true,
|
vary_header: true,
|
||||||
block_on_origin_mismatch: true,
|
block_on_origin_mismatch: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
Cors {
|
Cors {
|
||||||
@ -646,8 +646,9 @@ mod test {
|
|||||||
.insert_header(("Origin", "https://www.example.com"))
|
.insert_header(("Origin", "https://www.example.com"))
|
||||||
.to_srv_request();
|
.to_srv_request();
|
||||||
|
|
||||||
let resp = test::call_service(&cors, req).await;
|
let res = test::call_service(&cors, req).await;
|
||||||
assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
|
assert_eq!(res.status(), StatusCode::OK);
|
||||||
|
assert!(!res.headers().contains_key("Access-Control-Allow-Origin"));
|
||||||
}
|
}
|
||||||
|
|
||||||
#[actix_web::test]
|
#[actix_web::test]
|
||||||
|
@ -266,6 +266,7 @@ mod test {
|
|||||||
async fn test_validate_not_allowed_origin() {
|
async fn test_validate_not_allowed_origin() {
|
||||||
let cors = Cors::default()
|
let cors = Cors::default()
|
||||||
.allowed_origin("https://www.example.com")
|
.allowed_origin("https://www.example.com")
|
||||||
|
.block_on_origin_mismatch(true)
|
||||||
.new_transform(test::ok_service())
|
.new_transform(test::ok_service())
|
||||||
.await
|
.await
|
||||||
.unwrap();
|
.unwrap();
|
||||||
|
@ -382,12 +382,13 @@ async fn test_blocks_mismatched_origin_by_default() {
|
|||||||
.to_srv_request();
|
.to_srv_request();
|
||||||
|
|
||||||
let res = test::call_service(&cors, req).await;
|
let res = test::call_service(&cors, req).await;
|
||||||
assert_eq!(res.status(), StatusCode::BAD_REQUEST);
|
assert_eq!(res.status(), StatusCode::OK);
|
||||||
assert_eq!(res.headers().get(header::ACCESS_CONTROL_ALLOW_ORIGIN), None);
|
assert!(!res
|
||||||
assert!(res
|
|
||||||
.headers()
|
.headers()
|
||||||
.get(header::ACCESS_CONTROL_ALLOW_METHODS)
|
.contains_key(header::ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||||
.is_none());
|
assert!(!res
|
||||||
|
.headers()
|
||||||
|
.contains_key(header::ACCESS_CONTROL_ALLOW_METHODS));
|
||||||
}
|
}
|
||||||
|
|
||||||
#[actix_web::test]
|
#[actix_web::test]
|
||||||
@ -529,16 +530,23 @@ async fn vary_header_on_all_handled_responses() {
|
|||||||
.await
|
.await
|
||||||
.unwrap();
|
.unwrap();
|
||||||
|
|
||||||
// regular request bad origin
|
// regular request OK with no CORS response headers
|
||||||
let req = TestRequest::default()
|
let req = TestRequest::default()
|
||||||
.method(Method::PUT)
|
.method(Method::PUT)
|
||||||
.insert_header((header::ORIGIN, "https://www.example.com"))
|
.insert_header((header::ORIGIN, "https://www.example.com"))
|
||||||
.to_srv_request();
|
.to_srv_request();
|
||||||
let resp = test::call_service(&cors, req).await;
|
let res = test::call_service(&cors, req).await;
|
||||||
assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
|
assert_eq!(res.status(), StatusCode::OK);
|
||||||
|
assert!(!res
|
||||||
|
.headers()
|
||||||
|
.contains_key(header::ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||||
|
assert!(!res
|
||||||
|
.headers()
|
||||||
|
.contains_key(header::ACCESS_CONTROL_ALLOW_METHODS));
|
||||||
|
|
||||||
#[cfg(not(feature = "draft-private-network-access"))]
|
#[cfg(not(feature = "draft-private-network-access"))]
|
||||||
assert_eq!(
|
assert_eq!(
|
||||||
resp.headers()
|
res.headers()
|
||||||
.get(header::VARY)
|
.get(header::VARY)
|
||||||
.expect("response should have Vary header")
|
.expect("response should have Vary header")
|
||||||
.to_str()
|
.to_str()
|
||||||
@ -547,7 +555,7 @@ async fn vary_header_on_all_handled_responses() {
|
|||||||
);
|
);
|
||||||
#[cfg(feature = "draft-private-network-access")]
|
#[cfg(feature = "draft-private-network-access")]
|
||||||
assert_eq!(
|
assert_eq!(
|
||||||
resp.headers()
|
res.headers()
|
||||||
.get(header::VARY)
|
.get(header::VARY)
|
||||||
.expect("response should have Vary header")
|
.expect("response should have Vary header")
|
||||||
.to_str()
|
.to_str()
|
||||||
|
Loading…
Reference in New Issue
Block a user