fix!(cors): default block_on_origin_mismatch to false (#379)

actix-cors/CHANGES.md

@@ -3,6 +3,7 @@
 ## Unreleased
 
 - `Cors` is now marked `#[must_use]`.
+- Default for `Cors::block_on_origin_mismatch` is now false.
 - Minimum supported Rust version (MSRV) is now 1.75.
 
 ## 0.6.5
@@ -12,34 +13,29 @@
 
 ## 0.6.4
 
-- Add `Cors::allow_private_network_access()` behind an unstable flag (`draft-private-network-access`). [#297]
+- Add `Cors::allow_private_network_access()` behind an unstable flag (`draft-private-network-access`).
-
-[#297]: https://github.com/actix/actix-extras/pull/297
 
 ## 0.6.3
 
-- Add `Cors::block_on_origin_mismatch()` option for controlling if requests are pre-emptively rejected. [#287]
+- Add `Cors::block_on_origin_mismatch()` option for controlling if requests are pre-emptively rejected.
 - Minimum supported Rust version (MSRV) is now 1.59 due to transitive `time` dependency.
 
-[#287]: https://github.com/actix/actix-extras/pull/287
-
 ## 0.6.2
 
-- Fix `expose_any_header` to return list of response headers. [#273]
+- Fix `expose_any_header` to return list of response headers.
 - Minimum supported Rust version (MSRV) is now 1.57 due to transitive `time` dependency.
 
-[#273]: https://github.com/actix/actix-extras/pull/273
-
 ## 0.6.1
 
-- Do not consider requests without a `Access-Control-Request-Method` as preflight. [#226]
+- Do not consider requests without a `Access-Control-Request-Method` as preflight.
-
-[#226]: https://github.com/actix/actix-extras/pull/226
 
 ## 0.6.0
 
 - Update `actix-web` dependency to 4.0.
 
+<details>
+<summary>0.6.0 pre-releases</summary>
+
 ## 0.6.0-beta.10
 
 - Ensure that preflight responses contain a `Vary` header. [#224]
@@ -99,6 +95,8 @@
 - Update `actix-web` dependency to 4.0.0 beta.
 - Minimum supported Rust version (MSRV) is now 1.46.0.
 
+</details>
+
 ## 0.5.4
 
 - Fix `expose_any_header` method, now set the correct field. [#143]

actix-cors/src/builder.rs

@@ -115,7 +115,7 @@ impl Cors {
             #[cfg(feature = "draft-private-network-access")]
             allow_private_network_access: false,
             vary_header: true,
-            block_on_origin_mismatch: true,
+            block_on_origin_mismatch: false,
         };
 
         Cors {
@@ -477,7 +477,7 @@ impl Cors {
     /// and block requests based on pre-flight requests. Use this setting to allow cURL and other
     /// non-browser HTTP clients to function as normal, no matter what `Origin` the request has.
     ///
-    /// Defaults to true.
+    /// Defaults to false.
     pub fn block_on_origin_mismatch(mut self, block: bool) -> Cors {
         if let Some(cors) = cors(&mut self.inner, &self.error) {
             cors.block_on_origin_mismatch = block;
@@ -513,7 +513,7 @@ impl Default for Cors {
             #[cfg(feature = "draft-private-network-access")]
             allow_private_network_access: false,
             vary_header: true,
-            block_on_origin_mismatch: true,
+            block_on_origin_mismatch: false,
         };
 
         Cors {
@@ -646,8 +646,9 @@ mod test {
             .insert_header(("Origin", "https://www.example.com"))
             .to_srv_request();
 
-        let resp = test::call_service(&cors, req).await;
+        let res = test::call_service(&cors, req).await;
-        assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
+        assert_eq!(res.status(), StatusCode::OK);
+        assert!(!res.headers().contains_key("Access-Control-Allow-Origin"));
     }
 
     #[actix_web::test]

actix-cors/src/inner.rs

@@ -266,6 +266,7 @@ mod test {
     async fn test_validate_not_allowed_origin() {
         let cors = Cors::default()
             .allowed_origin("https://www.example.com")
+            .block_on_origin_mismatch(true)
             .new_transform(test::ok_service())
             .await
             .unwrap();

actix-cors/tests/tests.rs

@@ -382,12 +382,13 @@ async fn test_blocks_mismatched_origin_by_default() {
         .to_srv_request();
 
     let res = test::call_service(&cors, req).await;
-    assert_eq!(res.status(), StatusCode::BAD_REQUEST);
+    assert_eq!(res.status(), StatusCode::OK);
-    assert_eq!(res.headers().get(header::ACCESS_CONTROL_ALLOW_ORIGIN), None);
+    assert!(!res
-    assert!(res
         .headers()
-        .get(header::ACCESS_CONTROL_ALLOW_METHODS)
+        .contains_key(header::ACCESS_CONTROL_ALLOW_ORIGIN));
-        .is_none());
+    assert!(!res
+        .headers()
+        .contains_key(header::ACCESS_CONTROL_ALLOW_METHODS));
 }
 
 #[actix_web::test]
@@ -529,16 +530,23 @@ async fn vary_header_on_all_handled_responses() {
         .await
         .unwrap();
 
-    // regular request bad origin
+    // regular request OK with no CORS response headers
     let req = TestRequest::default()
         .method(Method::PUT)
         .insert_header((header::ORIGIN, "https://www.example.com"))
         .to_srv_request();
-    let resp = test::call_service(&cors, req).await;
+    let res = test::call_service(&cors, req).await;
-    assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
+    assert_eq!(res.status(), StatusCode::OK);
+    assert!(!res
+        .headers()
+        .contains_key(header::ACCESS_CONTROL_ALLOW_ORIGIN));
+    assert!(!res
+        .headers()
+        .contains_key(header::ACCESS_CONTROL_ALLOW_METHODS));
+
     #[cfg(not(feature = "draft-private-network-access"))]
     assert_eq!(
-        resp.headers()
+        res.headers()
             .get(header::VARY)
             .expect("response should have Vary header")
             .to_str()
@@ -547,7 +555,7 @@ async fn vary_header_on_all_handled_responses() {
     );
     #[cfg(feature = "draft-private-network-access")]
     assert_eq!(
-        resp.headers()
+        res.headers()
             .get(header::VARY)
             .expect("response should have Vary header")
             .to_str()