actix/actix-extras
1
0
Fork 0
mirror of https://github.com/actix/actix-extras.git synced 2024-11-23 15:51:06 +01:00
Code Issues Releases Wiki Activity

fix!(cors): default block_on_origin_mismatch to false (#379)

Browse Source
This commit is contained in:
Rob Ede 2024-01-06 20:40:44 +00:00 committed by GitHub
parent e2bf504055
commit d55fc6d7f5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 35 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
actix-cors/CHANGES.md
View File

@ -3,6 +3,7 @@
## Unreleased
- `Cors` is now marked `#[must_use]`.
- Default for `Cors::block_on_origin_mismatch` is now false.
- Minimum supported Rust version (MSRV) is now 1.75.
## 0.6.5
@ -12,34 +13,29 @@
## 0.6.4
- Add `Cors::allow_private_network_access()` behind an unstable flag (`draft-private-network-access`). [#297]
[#297]: https://github.com/actix/actix-extras/pull/297
- Add `Cors::allow_private_network_access()` behind an unstable flag (`draft-private-network-access`).
## 0.6.3
- Add `Cors::block_on_origin_mismatch()` option for controlling if requests are pre-emptively rejected. [#287]
- Add `Cors::block_on_origin_mismatch()` option for controlling if requests are pre-emptively rejected.
- Minimum supported Rust version (MSRV) is now 1.59 due to transitive `time` dependency.
[#287]: https://github.com/actix/actix-extras/pull/287
## 0.6.2
- Fix `expose_any_header` to return list of response headers. [#273]
- Fix `expose_any_header` to return list of response headers.
- Minimum supported Rust version (MSRV) is now 1.57 due to transitive `time` dependency.
[#273]: https://github.com/actix/actix-extras/pull/273
## 0.6.1
- Do not consider requests without a `Access-Control-Request-Method` as preflight. [#226]
[#226]: https://github.com/actix/actix-extras/pull/226
- Do not consider requests without a `Access-Control-Request-Method` as preflight.
## 0.6.0
- Update `actix-web` dependency to 4.0.
<details>
<summary>0.6.0 pre-releases</summary>
## 0.6.0-beta.10
- Ensure that preflight responses contain a `Vary` header. [#224]
@ -99,6 +95,8 @@
- Update `actix-web` dependency to 4.0.0 beta.
- Minimum supported Rust version (MSRV) is now 1.46.0.
</details>
## 0.5.4
- Fix `expose_any_header` method, now set the correct field. [#143]

11
actix-cors/src/builder.rs
View File

@ -115,7 +115,7 @@ impl Cors {
#[cfg(feature = "draft-private-network-access")]
allow_private_network_access: false,
vary_header: true,
block_on_origin_mismatch: true,
block_on_origin_mismatch: false,
};
Cors {
@ -477,7 +477,7 @@ impl Cors {
/// and block requests based on pre-flight requests. Use this setting to allow cURL and other
/// non-browser HTTP clients to function as normal, no matter what `Origin` the request has.
///
/// Defaults to true.
/// Defaults to false.
pub fn block_on_origin_mismatch(mut self, block: bool) -> Cors {
if let Some(cors) = cors(&mut self.inner, &self.error) {
cors.block_on_origin_mismatch = block;
@ -513,7 +513,7 @@ impl Default for Cors {
#[cfg(feature = "draft-private-network-access")]
allow_private_network_access: false,
vary_header: true,
block_on_origin_mismatch: true,
block_on_origin_mismatch: false,
};
Cors {
@ -646,8 +646,9 @@ mod test {
.insert_header(("Origin", "https://www.example.com"))
.to_srv_request();
let resp = test::call_service(&cors, req).await;
assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
let res = test::call_service(&cors, req).await;
assert_eq!(res.status(), StatusCode::OK);
assert!(!res.headers().contains_key("Access-Control-Allow-Origin"));
}
#[actix_web::test]

1
actix-cors/src/inner.rs
View File

@ -266,6 +266,7 @@ mod test {
async fn test_validate_not_allowed_origin() {
let cors = Cors::default()
.allowed_origin("https://www.example.com")
.block_on_origin_mismatch(true)
.new_transform(test::ok_service())
.await
.unwrap();

28
actix-cors/tests/tests.rs
View File

@ -382,12 +382,13 @@ async fn test_blocks_mismatched_origin_by_default() {
.to_srv_request();
let res = test::call_service(&cors, req).await;
assert_eq!(res.status(), StatusCode::BAD_REQUEST);
assert_eq!(res.headers().get(header::ACCESS_CONTROL_ALLOW_ORIGIN), None);
assert!(res
assert_eq!(res.status(), StatusCode::OK);
assert!(!res
.headers()
.get(header::ACCESS_CONTROL_ALLOW_METHODS)
.is_none());
.contains_key(header::ACCESS_CONTROL_ALLOW_ORIGIN));
assert!(!res
.headers()
.contains_key(header::ACCESS_CONTROL_ALLOW_METHODS));
}
#[actix_web::test]
@ -529,16 +530,23 @@ async fn vary_header_on_all_handled_responses() {
.await
.unwrap();
// regular request bad origin
// regular request OK with no CORS response headers
let req = TestRequest::default()
.method(Method::PUT)
.insert_header((header::ORIGIN, "https://www.example.com"))
.to_srv_request();
let resp = test::call_service(&cors, req).await;
assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
let res = test::call_service(&cors, req).await;
assert_eq!(res.status(), StatusCode::OK);
assert!(!res
.headers()
.contains_key(header::ACCESS_CONTROL_ALLOW_ORIGIN));
assert!(!res
.headers()
.contains_key(header::ACCESS_CONTROL_ALLOW_METHODS));
#[cfg(not(feature = "draft-private-network-access"))]
assert_eq!(
resp.headers()
res.headers()
.get(header::VARY)
.expect("response should have Vary header")
.to_str()
@ -547,7 +555,7 @@ async fn vary_header_on_all_handled_responses() {
);
#[cfg(feature = "draft-private-network-access")]
assert_eq!(
resp.headers()
res.headers()
.get(header::VARY)
.expect("response should have Vary header")
.to_str()