1
0
mirror of https://github.com/actix/actix-extras.git synced 2024-11-27 09:12:57 +01:00

fix!(cors): default block_on_origin_mismatch to false (#379)

This commit is contained in:
Rob Ede 2024-01-06 20:40:44 +00:00 committed by GitHub
parent e2bf504055
commit d55fc6d7f5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 35 additions and 27 deletions

View File

@ -3,6 +3,7 @@
## Unreleased ## Unreleased
- `Cors` is now marked `#[must_use]`. - `Cors` is now marked `#[must_use]`.
- Default for `Cors::block_on_origin_mismatch` is now false.
- Minimum supported Rust version (MSRV) is now 1.75. - Minimum supported Rust version (MSRV) is now 1.75.
## 0.6.5 ## 0.6.5
@ -12,34 +13,29 @@
## 0.6.4 ## 0.6.4
- Add `Cors::allow_private_network_access()` behind an unstable flag (`draft-private-network-access`). [#297] - Add `Cors::allow_private_network_access()` behind an unstable flag (`draft-private-network-access`).
[#297]: https://github.com/actix/actix-extras/pull/297
## 0.6.3 ## 0.6.3
- Add `Cors::block_on_origin_mismatch()` option for controlling if requests are pre-emptively rejected. [#287] - Add `Cors::block_on_origin_mismatch()` option for controlling if requests are pre-emptively rejected.
- Minimum supported Rust version (MSRV) is now 1.59 due to transitive `time` dependency. - Minimum supported Rust version (MSRV) is now 1.59 due to transitive `time` dependency.
[#287]: https://github.com/actix/actix-extras/pull/287
## 0.6.2 ## 0.6.2
- Fix `expose_any_header` to return list of response headers. [#273] - Fix `expose_any_header` to return list of response headers.
- Minimum supported Rust version (MSRV) is now 1.57 due to transitive `time` dependency. - Minimum supported Rust version (MSRV) is now 1.57 due to transitive `time` dependency.
[#273]: https://github.com/actix/actix-extras/pull/273
## 0.6.1 ## 0.6.1
- Do not consider requests without a `Access-Control-Request-Method` as preflight. [#226] - Do not consider requests without a `Access-Control-Request-Method` as preflight.
[#226]: https://github.com/actix/actix-extras/pull/226
## 0.6.0 ## 0.6.0
- Update `actix-web` dependency to 4.0. - Update `actix-web` dependency to 4.0.
<details>
<summary>0.6.0 pre-releases</summary>
## 0.6.0-beta.10 ## 0.6.0-beta.10
- Ensure that preflight responses contain a `Vary` header. [#224] - Ensure that preflight responses contain a `Vary` header. [#224]
@ -99,6 +95,8 @@
- Update `actix-web` dependency to 4.0.0 beta. - Update `actix-web` dependency to 4.0.0 beta.
- Minimum supported Rust version (MSRV) is now 1.46.0. - Minimum supported Rust version (MSRV) is now 1.46.0.
</details>
## 0.5.4 ## 0.5.4
- Fix `expose_any_header` method, now set the correct field. [#143] - Fix `expose_any_header` method, now set the correct field. [#143]

View File

@ -115,7 +115,7 @@ impl Cors {
#[cfg(feature = "draft-private-network-access")] #[cfg(feature = "draft-private-network-access")]
allow_private_network_access: false, allow_private_network_access: false,
vary_header: true, vary_header: true,
block_on_origin_mismatch: true, block_on_origin_mismatch: false,
}; };
Cors { Cors {
@ -477,7 +477,7 @@ impl Cors {
/// and block requests based on pre-flight requests. Use this setting to allow cURL and other /// and block requests based on pre-flight requests. Use this setting to allow cURL and other
/// non-browser HTTP clients to function as normal, no matter what `Origin` the request has. /// non-browser HTTP clients to function as normal, no matter what `Origin` the request has.
/// ///
/// Defaults to true. /// Defaults to false.
pub fn block_on_origin_mismatch(mut self, block: bool) -> Cors { pub fn block_on_origin_mismatch(mut self, block: bool) -> Cors {
if let Some(cors) = cors(&mut self.inner, &self.error) { if let Some(cors) = cors(&mut self.inner, &self.error) {
cors.block_on_origin_mismatch = block; cors.block_on_origin_mismatch = block;
@ -513,7 +513,7 @@ impl Default for Cors {
#[cfg(feature = "draft-private-network-access")] #[cfg(feature = "draft-private-network-access")]
allow_private_network_access: false, allow_private_network_access: false,
vary_header: true, vary_header: true,
block_on_origin_mismatch: true, block_on_origin_mismatch: false,
}; };
Cors { Cors {
@ -646,8 +646,9 @@ mod test {
.insert_header(("Origin", "https://www.example.com")) .insert_header(("Origin", "https://www.example.com"))
.to_srv_request(); .to_srv_request();
let resp = test::call_service(&cors, req).await; let res = test::call_service(&cors, req).await;
assert_eq!(resp.status(), StatusCode::BAD_REQUEST); assert_eq!(res.status(), StatusCode::OK);
assert!(!res.headers().contains_key("Access-Control-Allow-Origin"));
} }
#[actix_web::test] #[actix_web::test]

View File

@ -266,6 +266,7 @@ mod test {
async fn test_validate_not_allowed_origin() { async fn test_validate_not_allowed_origin() {
let cors = Cors::default() let cors = Cors::default()
.allowed_origin("https://www.example.com") .allowed_origin("https://www.example.com")
.block_on_origin_mismatch(true)
.new_transform(test::ok_service()) .new_transform(test::ok_service())
.await .await
.unwrap(); .unwrap();

View File

@ -382,12 +382,13 @@ async fn test_blocks_mismatched_origin_by_default() {
.to_srv_request(); .to_srv_request();
let res = test::call_service(&cors, req).await; let res = test::call_service(&cors, req).await;
assert_eq!(res.status(), StatusCode::BAD_REQUEST); assert_eq!(res.status(), StatusCode::OK);
assert_eq!(res.headers().get(header::ACCESS_CONTROL_ALLOW_ORIGIN), None); assert!(!res
assert!(res
.headers() .headers()
.get(header::ACCESS_CONTROL_ALLOW_METHODS) .contains_key(header::ACCESS_CONTROL_ALLOW_ORIGIN));
.is_none()); assert!(!res
.headers()
.contains_key(header::ACCESS_CONTROL_ALLOW_METHODS));
} }
#[actix_web::test] #[actix_web::test]
@ -529,16 +530,23 @@ async fn vary_header_on_all_handled_responses() {
.await .await
.unwrap(); .unwrap();
// regular request bad origin // regular request OK with no CORS response headers
let req = TestRequest::default() let req = TestRequest::default()
.method(Method::PUT) .method(Method::PUT)
.insert_header((header::ORIGIN, "https://www.example.com")) .insert_header((header::ORIGIN, "https://www.example.com"))
.to_srv_request(); .to_srv_request();
let resp = test::call_service(&cors, req).await; let res = test::call_service(&cors, req).await;
assert_eq!(resp.status(), StatusCode::BAD_REQUEST); assert_eq!(res.status(), StatusCode::OK);
assert!(!res
.headers()
.contains_key(header::ACCESS_CONTROL_ALLOW_ORIGIN));
assert!(!res
.headers()
.contains_key(header::ACCESS_CONTROL_ALLOW_METHODS));
#[cfg(not(feature = "draft-private-network-access"))] #[cfg(not(feature = "draft-private-network-access"))]
assert_eq!( assert_eq!(
resp.headers() res.headers()
.get(header::VARY) .get(header::VARY)
.expect("response should have Vary header") .expect("response should have Vary header")
.to_str() .to_str()
@ -547,7 +555,7 @@ async fn vary_header_on_all_handled_responses() {
); );
#[cfg(feature = "draft-private-network-access")] #[cfg(feature = "draft-private-network-access")]
assert_eq!( assert_eq!(
resp.headers() res.headers()
.get(header::VARY) .get(header::VARY)
.expect("response should have Vary header") .expect("response should have Vary header")
.to_str() .to_str()