<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="generator" content="rustdoc"><meta name="description" content="Source of the Rust file `actix-cors/src/builder.rs`."><title>builder.rs - source</title><link rel="preload" as="font" type="font/woff2" crossorigin href="../../static.files/SourceSerif4-Regular-46f98efaafac5295.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../static.files/FiraSans-Regular-018c141bf0843ffd.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../static.files/FiraSans-Medium-8f9a781e4970d388.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../static.files/SourceCodePro-Regular-562dcc5011b6de7d.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../static.files/SourceSerif4-Bold-a2c9cd1067f8b328.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../static.files/SourceCodePro-Semibold-d899c5a5c4aeb14a.ttf.woff2"><link rel="stylesheet" href="../../static.files/normalize-76eba96aa4d2e634.css"><link rel="stylesheet" href="../../static.files/rustdoc-63a85fc7cf22dee2.css" id="mainThemeStyle"><div id="rustdoc-vars" data-root-path="../../" data-static-root-path="../../static.files/" data-current-crate="actix_cors" data-themes="" data-resource-suffix="" data-rustdoc-version="1.70.0-nightly (af06dce64 2023-04-08)" data-search-js="search-bc5a112813b5d712.js" data-settings-js="settings-298e1ea74db45b39.js" data-settings-css="settings-0bcba95ff279c1db.css" data-theme-light-css="light-db279b6232be9c13.css" data-theme-dark-css="dark-cf923f49f397b216.css" data-theme-ayu-css="ayu-be46fdc453a55015.css" ></div><script src="../../static.files/storage-62ce34ea385b278a.js"></script><script defer src="../../static.files/source-script-1b95b7cca98b26e5.js"></script><script defer src="../../source-files.js"></script><script defer src="../../static.files/main-1159a395118aa44e.js"></script><noscript><link rel="stylesheet" media="(prefers-color-scheme:light)" href="../../static.files/light-db279b6232be9c13.css"><link rel="stylesheet" media="(prefers-color-scheme:dark)" href="../../static.files/dark-cf923f49f397b216.css"><link rel="stylesheet" href="../../static.files/noscript-13285aec31fa243e.css"></noscript><link rel="icon" href="https://actix.rs/favicon.ico"></head><body class="rustdoc source"><!--[if lte IE 11]><div class="warning">This old browser is unsupported and will most likely display funky things.</div><![endif]--><nav class="sidebar"></nav><main><nav class="sub"><a class="sub-logo-container" href="../../actix_cors/index.html"><img src="https://actix.rs/img/logo.png" alt="logo"></a><form class="search-form"><span></span><input class="search-input" name="search" aria-label="Run search in the documentation" autocomplete="off" spellcheck="false" placeholder="Click or press ‘S’ to search, ‘?’ for more options…" type="search"><div id="help-button" title="help" tabindex="-1"><a href="../../help.html">?</a></div><div id="settings-menu" tabindex="-1"><a href="../../settings.html" title="settings"><img width="22" height="22" alt="Change settings" src="../../static.files/wheel-7b819b6101059cd0.svg"></a></div></form></nav><section id="main-content" class="content"><div class="example-wrap"><div data-nosnippet><pre class="src-line-numbers"><a href="#1" id="1">1</a>
<a href="#2" id="2">2</a>
<a href="#3" id="3">3</a>
<a href="#4" id="4">4</a>
<a href="#5" id="5">5</a>
<a href="#6" id="6">6</a>
<a href="#7" id="7">7</a>
<a href="#8" id="8">8</a>
<a href="#9" id="9">9</a>
<a href="#10" id="10">10</a>
<a href="#11" id="11">11</a>
<a href="#12" id="12">12</a>
<a href="#13" id="13">13</a>
<a href="#14" id="14">14</a>
<a href="#15" id="15">15</a>
<a href="#16" id="16">16</a>
<a href="#17" id="17">17</a>
<a href="#18" id="18">18</a>
<a href="#19" id="19">19</a>
<a href="#20" id="20">20</a>
<a href="#21" id="21">21</a>
<a href="#22" id="22">22</a>
<a href="#23" id="23">23</a>
<a href="#24" id="24">24</a>
<a href="#25" id="25">25</a>
<a href="#26" id="26">26</a>
<a href="#27" id="27">27</a>
<a href="#28" id="28">28</a>
<a href="#29" id="29">29</a>
<a href="#30" id="30">30</a>
<a href="#31" id="31">31</a>
<a href="#32" id="32">32</a>
<a href="#33" id="33">33</a>
<a href="#34" id="34">34</a>
<a href="#35" id="35">35</a>
<a href="#36" id="36">36</a>
<a href="#37" id="37">37</a>
<a href="#38" id="38">38</a>
<a href="#39" id="39">39</a>
<a href="#40" id="40">40</a>
<a href="#41" id="41">41</a>
<a href="#42" id="42">42</a>
<a href="#43" id="43">43</a>
<a href="#44" id="44">44</a>
<a href="#45" id="45">45</a>
<a href="#46" id="46">46</a>
<a href="#47" id="47">47</a>
<a href="#48" id="48">48</a>
<a href="#49" id="49">49</a>
<a href="#50" id="50">50</a>
<a href="#51" id="51">51</a>
<a href="#52" id="52">52</a>
<a href="#53" id="53">53</a>
<a href="#54" id="54">54</a>
<a href="#55" id="55">55</a>
<a href="#56" id="56">56</a>
<a href="#57" id="57">57</a>
<a href="#58" id="58">58</a>
<a href="#59" id="59">59</a>
<a href="#60" id="60">60</a>
<a href="#61" id="61">61</a>
<a href="#62" id="62">62</a>
<a href="#63" id="63">63</a>
<a href="#64" id="64">64</a>
<a href="#65" id="65">65</a>
<a href="#66" id="66">66</a>
<a href="#67" id="67">67</a>
<a href="#68" id="68">68</a>
<a href="#69" id="69">69</a>
<a href="#70" id="70">70</a>
<a href="#71" id="71">71</a>
<a href="#72" id="72">72</a>
<a href="#73" id="73">73</a>
<a href="#74" id="74">74</a>
<a href="#75" id="75">75</a>
<a href="#76" id="76">76</a>
<a href="#77" id="77">77</a>
<a href="#78" id="78">78</a>
<a href="#79" id="79">79</a>
<a href="#80" id="80">80</a>
<a href="#81" id="81">81</a>
<a href="#82" id="82">82</a>
<a href="#83" id="83">83</a>
<a href="#84" id="84">84</a>
<a href="#85" id="85">85</a>
<a href="#86" id="86">86</a>
<a href="#87" id="87">87</a>
<a href="#88" id="88">88</a>
<a href="#89" id="89">89</a>
<a href="#90" id="90">90</a>
<a href="#91" id="91">91</a>
<a href="#92" id="92">92</a>
<a href="#93" id="93">93</a>
<a href="#94" id="94">94</a>
<a href="#95" id="95">95</a>
<a href="#96" id="96">96</a>
<a href="#97" id="97">97</a>
<a href="#98" id="98">98</a>
<a href="#99" id="99">99</a>
<a href="#100" id="100">100</a>
<a href="#101" id="101">101</a>
<a href="#102" id="102">102</a>
<a href="#103" id="103">103</a>
<a href="#104" id="104">104</a>
<a href="#105" id="105">105</a>
<a href="#106" id="106">106</a>
<a href="#107" id="107">107</a>
<a href="#108" id="108">108</a>
<a href="#109" id="109">109</a>
<a href="#110" id="110">110</a>
<a href="#111" id="111">111</a>
<a href="#112" id="112">112</a>
<a href="#113" id="113">113</a>
<a href="#114" id="114">114</a>
<a href="#115" id="115">115</a>
<a href="#116" id="116">116</a>
<a href="#117" id="117">117</a>
<a href="#118" id="118">118</a>
<a href="#119" id="119">119</a>
<a href="#120" id="120">120</a>
<a href="#121" id="121">121</a>
<a href="#122" id="122">122</a>
<a href="#123" id="123">123</a>
<a href="#124" id="124">124</a>
<a href="#125" id="125">125</a>
<a href="#126" id="126">126</a>
<a href="#127" id="127">127</a>
<a href="#128" id="128">128</a>
<a href="#129" id="129">129</a>
<a href="#130" id="130">130</a>
<a href="#131" id="131">131</a>
<a href="#132" id="132">132</a>
<a href="#133" id="133">133</a>
<a href="#134" id="134">134</a>
<a href="#135" id="135">135</a>
<a href="#136" id="136">136</a>
<a href="#137" id="137">137</a>
<a href="#138" id="138">138</a>
<a href="#139" id="139">139</a>
<a href="#140" id="140">140</a>
<a href="#141" id="141">141</a>
<a href="#142" id="142">142</a>
<a href="#143" id="143">143</a>
<a href="#144" id="144">144</a>
<a href="#145" id="145">145</a>
<a href="#146" id="146">146</a>
<a href="#147" id="147">147</a>
<a href="#148" id="148">148</a>
<a href="#149" id="149">149</a>
<a href="#150" id="150">150</a>
<a href="#151" id="151">151</a>
<a href="#152" id="152">152</a>
<a href="#153" id="153">153</a>
<a href="#154" id="154">154</a>
<a href="#155" id="155">155</a>
<a href="#156" id="156">156</a>
<a href="#157" id="157">157</a>
<a href="#158" id="158">158</a>
<a href="#159" id="159">159</a>
<a href="#160" id="160">160</a>
<a href="#161" id="161">161</a>
<a href="#162" id="162">162</a>
<a href="#163" id="163">163</a>
<a href="#164" id="164">164</a>
<a href="#165" id="165">165</a>
<a href="#166" id="166">166</a>
<a href="#167" id="167">167</a>
<a href="#168" id="168">168</a>
<a href="#169" id="169">169</a>
<a href="#170" id="170">170</a>
<a href="#171" id="171">171</a>
<a href="#172" id="172">172</a>
<a href="#173" id="173">173</a>
<a href="#174" id="174">174</a>
<a href="#175" id="175">175</a>
<a href="#176" id="176">176</a>
<a href="#177" id="177">177</a>
<a href="#178" id="178">178</a>
<a href="#179" id="179">179</a>
<a href="#180" id="180">180</a>
<a href="#181" id="181">181</a>
<a href="#182" id="182">182</a>
<a href="#183" id="183">183</a>
<a href="#184" id="184">184</a>
<a href="#185" id="185">185</a>
<a href="#186" id="186">186</a>
<a href="#187" id="187">187</a>
<a href="#188" id="188">188</a>
<a href="#189" id="189">189</a>
<a href="#190" id="190">190</a>
<a href="#191" id="191">191</a>
<a href="#192" id="192">192</a>
<a href="#193" id="193">193</a>
<a href="#194" id="194">194</a>
<a href="#195" id="195">195</a>
<a href="#196" id="196">196</a>
<a href="#197" id="197">197</a>
<a href="#198" id="198">198</a>
<a href="#199" id="199">199</a>
<a href="#200" id="200">200</a>
<a href="#201" id="201">201</a>
<a href="#202" id="202">202</a>
<a href="#203" id="203">203</a>
<a href="#204" id="204">204</a>
<a href="#205" id="205">205</a>
<a href="#206" id="206">206</a>
<a href="#207" id="207">207</a>
<a href="#208" id="208">208</a>
<a href="#209" id="209">209</a>
<a href="#210" id="210">210</a>
<a href="#211" id="211">211</a>
<a href="#212" id="212">212</a>
<a href="#213" id="213">213</a>
<a href="#214" id="214">214</a>
<a href="#215" id="215">215</a>
<a href="#216" id="216">216</a>
<a href="#217" id="217">217</a>
<a href="#218" id="218">218</a>
<a href="#219" id="219">219</a>
<a href="#220" id="220">220</a>
<a href="#221" id="221">221</a>
<a href="#222" id="222">222</a>
<a href="#223" id="223">223</a>
<a href="#224" id="224">224</a>
<a href="#225" id="225">225</a>
<a href="#226" id="226">226</a>
<a href="#227" id="227">227</a>
<a href="#228" id="228">228</a>
<a href="#229" id="229">229</a>
<a href="#230" id="230">230</a>
<a href="#231" id="231">231</a>
<a href="#232" id="232">232</a>
<a href="#233" id="233">233</a>
<a href="#234" id="234">234</a>
<a href="#235" id="235">235</a>
<a href="#236" id="236">236</a>
<a href="#237" id="237">237</a>
<a href="#238" id="238">238</a>
<a href="#239" id="239">239</a>
<a href="#240" id="240">240</a>
<a href="#241" id="241">241</a>
<a href="#242" id="242">242</a>
<a href="#243" id="243">243</a>
<a href="#244" id="244">244</a>
<a href="#245" id="245">245</a>
<a href="#246" id="246">246</a>
<a href="#247" id="247">247</a>
<a href="#248" id="248">248</a>
<a href="#249" id="249">249</a>
<a href="#250" id="250">250</a>
<a href="#251" id="251">251</a>
<a href="#252" id="252">252</a>
<a href="#253" id="253">253</a>
<a href="#254" id="254">254</a>
<a href="#255" id="255">255</a>
<a href="#256" id="256">256</a>
<a href="#257" id="257">257</a>
<a href="#258" id="258">258</a>
<a href="#259" id="259">259</a>
<a href="#260" id="260">260</a>
<a href="#261" id="261">261</a>
<a href="#262" id="262">262</a>
<a href="#263" id="263">263</a>
<a href="#264" id="264">264</a>
<a href="#265" id="265">265</a>
<a href="#266" id="266">266</a>
<a href="#267" id="267">267</a>
<a href="#268" id="268">268</a>
<a href="#269" id="269">269</a>
<a href="#270" id="270">270</a>
<a href="#271" id="271">271</a>
<a href="#272" id="272">272</a>
<a href="#273" id="273">273</a>
<a href="#274" id="274">274</a>
<a href="#275" id="275">275</a>
<a href="#276" id="276">276</a>
<a href="#277" id="277">277</a>
<a href="#278" id="278">278</a>
<a href="#279" id="279">279</a>
<a href="#280" id="280">280</a>
<a href="#281" id="281">281</a>
<a href="#282" id="282">282</a>
<a href="#283" id="283">283</a>
<a href="#284" id="284">284</a>
<a href="#285" id="285">285</a>
<a href="#286" id="286">286</a>
<a href="#287" id="287">287</a>
<a href="#288" id="288">288</a>
<a href="#289" id="289">289</a>
<a href="#290" id="290">290</a>
<a href="#291" id="291">291</a>
<a href="#292" id="292">292</a>
<a href="#293" id="293">293</a>
<a href="#294" id="294">294</a>
<a href="#295" id="295">295</a>
<a href="#296" id="296">296</a>
<a href="#297" id="297">297</a>
<a href="#298" id="298">298</a>
<a href="#299" id="299">299</a>
<a href="#300" id="300">300</a>
<a href="#301" id="301">301</a>
<a href="#302" id="302">302</a>
<a href="#303" id="303">303</a>
<a href="#304" id="304">304</a>
<a href="#305" id="305">305</a>
<a href="#306" id="306">306</a>
<a href="#307" id="307">307</a>
<a href="#308" id="308">308</a>
<a href="#309" id="309">309</a>
<a href="#310" id="310">310</a>
<a href="#311" id="311">311</a>
<a href="#312" id="312">312</a>
<a href="#313" id="313">313</a>
<a href="#314" id="314">314</a>
<a href="#315" id="315">315</a>
<a href="#316" id="316">316</a>
<a href="#317" id="317">317</a>
<a href="#318" id="318">318</a>
<a href="#319" id="319">319</a>
<a href="#320" id="320">320</a>
<a href="#321" id="321">321</a>
<a href="#322" id="322">322</a>
<a href="#323" id="323">323</a>
<a href="#324" id="324">324</a>
<a href="#325" id="325">325</a>
<a href="#326" id="326">326</a>
<a href="#327" id="327">327</a>
<a href="#328" id="328">328</a>
<a href="#329" id="329">329</a>
<a href="#330" id="330">330</a>
<a href="#331" id="331">331</a>
<a href="#332" id="332">332</a>
<a href="#333" id="333">333</a>
<a href="#334" id="334">334</a>
<a href="#335" id="335">335</a>
<a href="#336" id="336">336</a>
<a href="#337" id="337">337</a>
<a href="#338" id="338">338</a>
<a href="#339" id="339">339</a>
<a href="#340" id="340">340</a>
<a href="#341" id="341">341</a>
<a href="#342" id="342">342</a>
<a href="#343" id="343">343</a>
<a href="#344" id="344">344</a>
<a href="#345" id="345">345</a>
<a href="#346" id="346">346</a>
<a href="#347" id="347">347</a>
<a href="#348" id="348">348</a>
<a href="#349" id="349">349</a>
<a href="#350" id="350">350</a>
<a href="#351" id="351">351</a>
<a href="#352" id="352">352</a>
<a href="#353" id="353">353</a>
<a href="#354" id="354">354</a>
<a href="#355" id="355">355</a>
<a href="#356" id="356">356</a>
<a href="#357" id="357">357</a>
<a href="#358" id="358">358</a>
<a href="#359" id="359">359</a>
<a href="#360" id="360">360</a>
<a href="#361" id="361">361</a>
<a href="#362" id="362">362</a>
<a href="#363" id="363">363</a>
<a href="#364" id="364">364</a>
<a href="#365" id="365">365</a>
<a href="#366" id="366">366</a>
<a href="#367" id="367">367</a>
<a href="#368" id="368">368</a>
<a href="#369" id="369">369</a>
<a href="#370" id="370">370</a>
<a href="#371" id="371">371</a>
<a href="#372" id="372">372</a>
<a href="#373" id="373">373</a>
<a href="#374" id="374">374</a>
<a href="#375" id="375">375</a>
<a href="#376" id="376">376</a>
<a href="#377" id="377">377</a>
<a href="#378" id="378">378</a>
<a href="#379" id="379">379</a>
<a href="#380" id="380">380</a>
<a href="#381" id="381">381</a>
<a href="#382" id="382">382</a>
<a href="#383" id="383">383</a>
<a href="#384" id="384">384</a>
<a href="#385" id="385">385</a>
<a href="#386" id="386">386</a>
<a href="#387" id="387">387</a>
<a href="#388" id="388">388</a>
<a href="#389" id="389">389</a>
<a href="#390" id="390">390</a>
<a href="#391" id="391">391</a>
<a href="#392" id="392">392</a>
<a href="#393" id="393">393</a>
<a href="#394" id="394">394</a>
<a href="#395" id="395">395</a>
<a href="#396" id="396">396</a>
<a href="#397" id="397">397</a>
<a href="#398" id="398">398</a>
<a href="#399" id="399">399</a>
<a href="#400" id="400">400</a>
<a href="#401" id="401">401</a>
<a href="#402" id="402">402</a>
<a href="#403" id="403">403</a>
<a href="#404" id="404">404</a>
<a href="#405" id="405">405</a>
<a href="#406" id="406">406</a>
<a href="#407" id="407">407</a>
<a href="#408" id="408">408</a>
<a href="#409" id="409">409</a>
<a href="#410" id="410">410</a>
<a href="#411" id="411">411</a>
<a href="#412" id="412">412</a>
<a href="#413" id="413">413</a>
<a href="#414" id="414">414</a>
<a href="#415" id="415">415</a>
<a href="#416" id="416">416</a>
<a href="#417" id="417">417</a>
<a href="#418" id="418">418</a>
<a href="#419" id="419">419</a>
<a href="#420" id="420">420</a>
<a href="#421" id="421">421</a>
<a href="#422" id="422">422</a>
<a href="#423" id="423">423</a>
<a href="#424" id="424">424</a>
<a href="#425" id="425">425</a>
<a href="#426" id="426">426</a>
<a href="#427" id="427">427</a>
<a href="#428" id="428">428</a>
<a href="#429" id="429">429</a>
<a href="#430" id="430">430</a>
<a href="#431" id="431">431</a>
<a href="#432" id="432">432</a>
<a href="#433" id="433">433</a>
<a href="#434" id="434">434</a>
<a href="#435" id="435">435</a>
<a href="#436" id="436">436</a>
<a href="#437" id="437">437</a>
<a href="#438" id="438">438</a>
<a href="#439" id="439">439</a>
<a href="#440" id="440">440</a>
<a href="#441" id="441">441</a>
<a href="#442" id="442">442</a>
<a href="#443" id="443">443</a>
<a href="#444" id="444">444</a>
<a href="#445" id="445">445</a>
<a href="#446" id="446">446</a>
<a href="#447" id="447">447</a>
<a href="#448" id="448">448</a>
<a href="#449" id="449">449</a>
<a href="#450" id="450">450</a>
<a href="#451" id="451">451</a>
<a href="#452" id="452">452</a>
<a href="#453" id="453">453</a>
<a href="#454" id="454">454</a>
<a href="#455" id="455">455</a>
<a href="#456" id="456">456</a>
<a href="#457" id="457">457</a>
<a href="#458" id="458">458</a>
<a href="#459" id="459">459</a>
<a href="#460" id="460">460</a>
<a href="#461" id="461">461</a>
<a href="#462" id="462">462</a>
<a href="#463" id="463">463</a>
<a href="#464" id="464">464</a>
<a href="#465" id="465">465</a>
<a href="#466" id="466">466</a>
<a href="#467" id="467">467</a>
<a href="#468" id="468">468</a>
<a href="#469" id="469">469</a>
<a href="#470" id="470">470</a>
<a href="#471" id="471">471</a>
<a href="#472" id="472">472</a>
<a href="#473" id="473">473</a>
<a href="#474" id="474">474</a>
<a href="#475" id="475">475</a>
<a href="#476" id="476">476</a>
<a href="#477" id="477">477</a>
<a href="#478" id="478">478</a>
<a href="#479" id="479">479</a>
<a href="#480" id="480">480</a>
<a href="#481" id="481">481</a>
<a href="#482" id="482">482</a>
<a href="#483" id="483">483</a>
<a href="#484" id="484">484</a>
<a href="#485" id="485">485</a>
<a href="#486" id="486">486</a>
<a href="#487" id="487">487</a>
<a href="#488" id="488">488</a>
<a href="#489" id="489">489</a>
<a href="#490" id="490">490</a>
<a href="#491" id="491">491</a>
<a href="#492" id="492">492</a>
<a href="#493" id="493">493</a>
<a href="#494" id="494">494</a>
<a href="#495" id="495">495</a>
<a href="#496" id="496">496</a>
<a href="#497" id="497">497</a>
<a href="#498" id="498">498</a>
<a href="#499" id="499">499</a>
<a href="#500" id="500">500</a>
<a href="#501" id="501">501</a>
<a href="#502" id="502">502</a>
<a href="#503" id="503">503</a>
<a href="#504" id="504">504</a>
<a href="#505" id="505">505</a>
<a href="#506" id="506">506</a>
<a href="#507" id="507">507</a>
<a href="#508" id="508">508</a>
<a href="#509" id="509">509</a>
<a href="#510" id="510">510</a>
<a href="#511" id="511">511</a>
<a href="#512" id="512">512</a>
<a href="#513" id="513">513</a>
<a href="#514" id="514">514</a>
<a href="#515" id="515">515</a>
<a href="#516" id="516">516</a>
<a href="#517" id="517">517</a>
<a href="#518" id="518">518</a>
<a href="#519" id="519">519</a>
<a href="#520" id="520">520</a>
<a href="#521" id="521">521</a>
<a href="#522" id="522">522</a>
<a href="#523" id="523">523</a>
<a href="#524" id="524">524</a>
<a href="#525" id="525">525</a>
<a href="#526" id="526">526</a>
<a href="#527" id="527">527</a>
<a href="#528" id="528">528</a>
<a href="#529" id="529">529</a>
<a href="#530" id="530">530</a>
<a href="#531" id="531">531</a>
<a href="#532" id="532">532</a>
<a href="#533" id="533">533</a>
<a href="#534" id="534">534</a>
<a href="#535" id="535">535</a>
<a href="#536" id="536">536</a>
<a href="#537" id="537">537</a>
<a href="#538" id="538">538</a>
<a href="#539" id="539">539</a>
<a href="#540" id="540">540</a>
<a href="#541" id="541">541</a>
<a href="#542" id="542">542</a>
<a href="#543" id="543">543</a>
<a href="#544" id="544">544</a>
<a href="#545" id="545">545</a>
<a href="#546" id="546">546</a>
<a href="#547" id="547">547</a>
<a href="#548" id="548">548</a>
<a href="#549" id="549">549</a>
<a href="#550" id="550">550</a>
<a href="#551" id="551">551</a>
<a href="#552" id="552">552</a>
<a href="#553" id="553">553</a>
<a href="#554" id="554">554</a>
<a href="#555" id="555">555</a>
<a href="#556" id="556">556</a>
<a href="#557" id="557">557</a>
<a href="#558" id="558">558</a>
<a href="#559" id="559">559</a>
<a href="#560" id="560">560</a>
<a href="#561" id="561">561</a>
<a href="#562" id="562">562</a>
<a href="#563" id="563">563</a>
<a href="#564" id="564">564</a>
<a href="#565" id="565">565</a>
<a href="#566" id="566">566</a>
<a href="#567" id="567">567</a>
<a href="#568" id="568">568</a>
<a href="#569" id="569">569</a>
<a href="#570" id="570">570</a>
<a href="#571" id="571">571</a>
<a href="#572" id="572">572</a>
<a href="#573" id="573">573</a>
<a href="#574" id="574">574</a>
<a href="#575" id="575">575</a>
<a href="#576" id="576">576</a>
<a href="#577" id="577">577</a>
<a href="#578" id="578">578</a>
<a href="#579" id="579">579</a>
<a href="#580" id="580">580</a>
<a href="#581" id="581">581</a>
<a href="#582" id="582">582</a>
<a href="#583" id="583">583</a>
<a href="#584" id="584">584</a>
<a href="#585" id="585">585</a>
<a href="#586" id="586">586</a>
<a href="#587" id="587">587</a>
<a href="#588" id="588">588</a>
<a href="#589" id="589">589</a>
<a href="#590" id="590">590</a>
<a href="#591" id="591">591</a>
<a href="#592" id="592">592</a>
<a href="#593" id="593">593</a>
<a href="#594" id="594">594</a>
<a href="#595" id="595">595</a>
<a href="#596" id="596">596</a>
<a href="#597" id="597">597</a>
<a href="#598" id="598">598</a>
<a href="#599" id="599">599</a>
<a href="#600" id="600">600</a>
<a href="#601" id="601">601</a>
<a href="#602" id="602">602</a>
<a href="#603" id="603">603</a>
<a href="#604" id="604">604</a>
<a href="#605" id="605">605</a>
<a href="#606" id="606">606</a>
<a href="#607" id="607">607</a>
<a href="#608" id="608">608</a>
<a href="#609" id="609">609</a>
<a href="#610" id="610">610</a>
<a href="#611" id="611">611</a>
<a href="#612" id="612">612</a>
<a href="#613" id="613">613</a>
<a href="#614" id="614">614</a>
<a href="#615" id="615">615</a>
<a href="#616" id="616">616</a>
<a href="#617" id="617">617</a>
<a href="#618" id="618">618</a>
<a href="#619" id="619">619</a>
<a href="#620" id="620">620</a>
<a href="#621" id="621">621</a>
<a href="#622" id="622">622</a>
<a href="#623" id="623">623</a>
<a href="#624" id="624">624</a>
<a href="#625" id="625">625</a>
<a href="#626" id="626">626</a>
<a href="#627" id="627">627</a>
<a href="#628" id="628">628</a>
<a href="#629" id="629">629</a>
<a href="#630" id="630">630</a>
<a href="#631" id="631">631</a>
<a href="#632" id="632">632</a>
<a href="#633" id="633">633</a>
<a href="#634" id="634">634</a>
<a href="#635" id="635">635</a>
<a href="#636" id="636">636</a>
<a href="#637" id="637">637</a>
<a href="#638" id="638">638</a>
<a href="#639" id="639">639</a>
<a href="#640" id="640">640</a>
<a href="#641" id="641">641</a>
<a href="#642" id="642">642</a>
<a href="#643" id="643">643</a>
<a href="#644" id="644">644</a>
<a href="#645" id="645">645</a>
<a href="#646" id="646">646</a>
<a href="#647" id="647">647</a>
<a href="#648" id="648">648</a>
<a href="#649" id="649">649</a>
<a href="#650" id="650">650</a>
<a href="#651" id="651">651</a>
<a href="#652" id="652">652</a>
<a href="#653" id="653">653</a>
<a href="#654" id="654">654</a>
<a href="#655" id="655">655</a>
<a href="#656" id="656">656</a>
<a href="#657" id="657">657</a>
<a href="#658" id="658">658</a>
<a href="#659" id="659">659</a>
<a href="#660" id="660">660</a>
<a href="#661" id="661">661</a>
<a href="#662" id="662">662</a>
<a href="#663" id="663">663</a>
<a href="#664" id="664">664</a>
<a href="#665" id="665">665</a>
<a href="#666" id="666">666</a>
<a href="#667" id="667">667</a>
<a href="#668" id="668">668</a>
<a href="#669" id="669">669</a>
<a href="#670" id="670">670</a>
<a href="#671" id="671">671</a>
<a href="#672" id="672">672</a>
<a href="#673" id="673">673</a>
<a href="#674" id="674">674</a>
<a href="#675" id="675">675</a>
<a href="#676" id="676">676</a>
<a href="#677" id="677">677</a>
<a href="#678" id="678">678</a>
<a href="#679" id="679">679</a>
<a href="#680" id="680">680</a>
<a href="#681" id="681">681</a>
<a href="#682" id="682">682</a>
<a href="#683" id="683">683</a>
<a href="#684" id="684">684</a>
</pre></div><pre class="rust"><code><span class="kw">use </span>std::{collections::HashSet, convert::TryInto, iter::FromIterator, rc::Rc};
<span class="kw">use </span>actix_utils::future::{<span class="self">self</span>, Ready};
<span class="kw">use </span>actix_web::{
body::{EitherBody, MessageBody},
dev::{RequestHead, Service, ServiceRequest, ServiceResponse, Transform},
error::HttpError,
http::{
header::{HeaderName, HeaderValue},
Method, Uri,
},
Either, Error, <span class="prelude-ty">Result</span>,
};
<span class="kw">use </span>log::error;
<span class="kw">use </span>once_cell::sync::Lazy;
<span class="kw">use </span>smallvec::smallvec;
<span class="kw">use crate</span>::{AllOrSome, CorsError, CorsMiddleware, Inner, OriginFn};
<span class="doccomment">/// Convenience for getting mut refs to inner. Cleaner than `Rc::get_mut`.
/// Additionally, always causes first error (if any) to be reported during initialization.
</span><span class="kw">fn </span>cors<<span class="lifetime">'a</span>>(
inner: <span class="kw-2">&</span><span class="lifetime">'a </span><span class="kw-2">mut </span>Rc<Inner>,
err: <span class="kw-2">&</span><span class="prelude-ty">Option</span><Either<HttpError, CorsError>>,
) -> <span class="prelude-ty">Option</span><<span class="kw-2">&</span><span class="lifetime">'a </span><span class="kw-2">mut </span>Inner> {
<span class="kw">if </span>err.is_some() {
<span class="kw">return </span><span class="prelude-val">None</span>;
}
Rc::get_mut(inner)
}
<span class="kw">static </span>ALL_METHODS_SET: Lazy<HashSet<Method>> = Lazy::new(|| {
HashSet::from_iter(<span class="macro">vec!</span>[
Method::GET,
Method::POST,
Method::PUT,
Method::DELETE,
Method::HEAD,
Method::OPTIONS,
Method::CONNECT,
Method::PATCH,
Method::TRACE,
])
});
<span class="doccomment">/// Builder for CORS middleware.
///
/// To construct a CORS middleware, call [`Cors::default()`] to create a blank, restrictive builder.
/// Then use any of the builder methods to customize CORS behavior.
///
/// The alternative [`Cors::permissive()`] constructor is available for local development, allowing
/// all origins and headers, etc. **The permissive constructor should not be used in production.**
///
/// # Errors
/// Errors surface in the middleware initialization phase. This means that, if you have logs enabled
/// in Actix Web (using `env_logger` or other crate that exposes logs from the `log` crate), error
/// messages will outline what is wrong with the CORS configuration in the server logs and the
/// server will fail to start up or serve requests.
///
/// # Example
/// ```
/// use actix_cors::Cors;
/// use actix_web::http::header;
///
/// let cors = Cors::default()
/// .allowed_origin("https://www.rust-lang.org")
/// .allowed_methods(vec!["GET", "POST"])
/// .allowed_headers(vec![header::AUTHORIZATION, header::ACCEPT])
/// .allowed_header(header::CONTENT_TYPE)
/// .max_age(3600);
///
/// // `cors` can now be used in `App::wrap`.
/// ```
</span><span class="attr">#[derive(Debug)]
</span><span class="kw">pub struct </span>Cors {
inner: Rc<Inner>,
error: <span class="prelude-ty">Option</span><Either<HttpError, CorsError>>,
}
<span class="kw">impl </span>Cors {
<span class="doccomment">/// A very permissive set of default for quick development. Not recommended for production use.
///
/// *All* origins, methods, request headers and exposed headers allowed. Credentials supported.
/// Max age 1 hour. Does not send wildcard.
</span><span class="kw">pub fn </span>permissive() -> <span class="self">Self </span>{
<span class="kw">let </span>inner = Inner {
allowed_origins: AllOrSome::All,
allowed_origins_fns: <span class="macro">smallvec!</span>[],
allowed_methods: ALL_METHODS_SET.clone(),
allowed_methods_baked: <span class="prelude-val">None</span>,
allowed_headers: AllOrSome::All,
allowed_headers_baked: <span class="prelude-val">None</span>,
expose_headers: AllOrSome::All,
expose_headers_baked: <span class="prelude-val">None</span>,
max_age: <span class="prelude-val">Some</span>(<span class="number">3600</span>),
preflight: <span class="bool-val">true</span>,
send_wildcard: <span class="bool-val">false</span>,
supports_credentials: <span class="bool-val">true</span>,
<span class="attr">#[cfg(feature = <span class="string">"draft-private-network-access"</span>)]
</span>allow_private_network_access: <span class="bool-val">false</span>,
vary_header: <span class="bool-val">true</span>,
block_on_origin_mismatch: <span class="bool-val">true</span>,
};
Cors {
inner: Rc::new(inner),
error: <span class="prelude-val">None</span>,
}
}
<span class="doccomment">/// Resets allowed origin list to a state where any origin is accepted.
///
/// See [`Cors::allowed_origin`] for more info on allowed origins.
</span><span class="kw">pub fn </span>allow_any_origin(<span class="kw-2">mut </span><span class="self">self</span>) -> Cors {
<span class="kw">if let </span><span class="prelude-val">Some</span>(cors) = cors(<span class="kw-2">&mut </span><span class="self">self</span>.inner, <span class="kw-2">&</span><span class="self">self</span>.error) {
cors.allowed_origins = AllOrSome::All;
}
<span class="self">self
</span>}
<span class="doccomment">/// Add an origin that is allowed to make requests.
///
/// This method allows specifying a finite set of origins to verify the value of the `Origin`
/// request header. These are `origin-or-null` types in the [Fetch Standard].
///
/// By default, no origins are accepted.
///
/// When this list is set, the client's `Origin` request header will be checked in a
/// case-sensitive manner.
///
/// When all origins are allowed and `send_wildcard` is set, `*` will be sent in the
/// `Access-Control-Allow-Origin` response header. If `send_wildcard` is not set, the client's
/// `Origin` request header will be echoed back in the `Access-Control-Allow-Origin`
/// response header.
///
/// If the origin of the request doesn't match any allowed origins and at least one
/// `allowed_origin_fn` function is set, these functions will be used to determinate
/// allowed origins.
///
/// # Initialization Errors
/// - If supplied origin is not valid uri
/// - If supplied origin is a wildcard (`*`). [`Cors::send_wildcard`] should be used instead.
///
/// [Fetch Standard]: https://fetch.spec.whatwg.org/#origin-header
</span><span class="kw">pub fn </span>allowed_origin(<span class="kw-2">mut </span><span class="self">self</span>, origin: <span class="kw-2">&</span>str) -> Cors {
<span class="kw">if let </span><span class="prelude-val">Some</span>(cors) = cors(<span class="kw-2">&mut </span><span class="self">self</span>.inner, <span class="kw-2">&</span><span class="self">self</span>.error) {
<span class="kw">match </span>TryInto::<Uri>::try_into(origin) {
<span class="prelude-val">Ok</span>(<span class="kw">_</span>) <span class="kw">if </span>origin == <span class="string">"*" </span>=> {
<span class="macro">error!</span>(<span class="string">"Wildcard in `allowed_origin` is not allowed. Use `send_wildcard`."</span>);
<span class="self">self</span>.error = <span class="prelude-val">Some</span>(Either::Right(CorsError::WildcardOrigin));
}
<span class="prelude-val">Ok</span>(<span class="kw">_</span>) => {
<span class="kw">if </span>cors.allowed_origins.is_all() {
cors.allowed_origins = AllOrSome::Some(HashSet::with_capacity(<span class="number">8</span>));
}
<span class="kw">if let </span><span class="prelude-val">Some</span>(origins) = cors.allowed_origins.as_mut() {
<span class="comment">// any uri is a valid header value
</span><span class="kw">let </span>hv = origin.try_into().unwrap();
origins.insert(hv);
}
}
<span class="prelude-val">Err</span>(err) => {
<span class="self">self</span>.error = <span class="prelude-val">Some</span>(Either::Left(err.into()));
}
}
}
<span class="self">self
</span>}
<span class="doccomment">/// Determinate allowed origins by processing requests which didn't match any origins specified
/// in the `allowed_origin`.
///
/// The function will receive two parameters, the Origin header value, and the `RequestHead` of
/// each request, which can be used to determine whether to allow the request or not.
///
/// If the function returns `true`, the client's `Origin` request header will be echoed back
/// into the `Access-Control-Allow-Origin` response header.
</span><span class="kw">pub fn </span>allowed_origin_fn<F>(<span class="kw-2">mut </span><span class="self">self</span>, f: F) -> Cors
<span class="kw">where
</span>F: (Fn(<span class="kw-2">&</span>HeaderValue, <span class="kw-2">&</span>RequestHead) -> bool) + <span class="lifetime">'static</span>,
{
<span class="kw">if let </span><span class="prelude-val">Some</span>(cors) = cors(<span class="kw-2">&mut </span><span class="self">self</span>.inner, <span class="kw-2">&</span><span class="self">self</span>.error) {
cors.allowed_origins_fns.push(OriginFn {
boxed_fn: Rc::new(f),
});
}
<span class="self">self
</span>}
<span class="doccomment">/// Resets allowed methods list to all methods.
///
/// See [`Cors::allowed_methods`] for more info on allowed methods.
</span><span class="kw">pub fn </span>allow_any_method(<span class="kw-2">mut </span><span class="self">self</span>) -> Cors {
<span class="kw">if let </span><span class="prelude-val">Some</span>(cors) = cors(<span class="kw-2">&mut </span><span class="self">self</span>.inner, <span class="kw-2">&</span><span class="self">self</span>.error) {
cors.allowed_methods = ALL_METHODS_SET.clone();
}
<span class="self">self
</span>}
<span class="doccomment">/// Set a list of methods which allowed origins can perform.
///
/// These will be sent in the `Access-Control-Allow-Methods` response header as specified in
/// the [Fetch Standard CORS protocol].
///
/// This defaults to an empty set.
///
/// [Fetch Standard CORS protocol]: https://fetch.spec.whatwg.org/#http-cors-protocol
</span><span class="kw">pub fn </span>allowed_methods<U, M>(<span class="kw-2">mut </span><span class="self">self</span>, methods: U) -> Cors
<span class="kw">where
</span>U: IntoIterator<Item = M>,
M: TryInto<Method>,
<M <span class="kw">as </span>TryInto<Method>>::Error: Into<HttpError>,
{
<span class="kw">if let </span><span class="prelude-val">Some</span>(cors) = cors(<span class="kw-2">&mut </span><span class="self">self</span>.inner, <span class="kw-2">&</span><span class="self">self</span>.error) {
<span class="kw">for </span>m <span class="kw">in </span>methods {
<span class="kw">match </span>m.try_into() {
<span class="prelude-val">Ok</span>(method) => {
cors.allowed_methods.insert(method);
}
<span class="prelude-val">Err</span>(err) => {
<span class="self">self</span>.error = <span class="prelude-val">Some</span>(Either::Left(err.into()));
<span class="kw">break</span>;
}
}
}
}
<span class="self">self
</span>}
<span class="doccomment">/// Resets allowed request header list to a state where any header is accepted.
///
/// See [`Cors::allowed_headers`] for more info on allowed request headers.
</span><span class="kw">pub fn </span>allow_any_header(<span class="kw-2">mut </span><span class="self">self</span>) -> Cors {
<span class="kw">if let </span><span class="prelude-val">Some</span>(cors) = cors(<span class="kw-2">&mut </span><span class="self">self</span>.inner, <span class="kw-2">&</span><span class="self">self</span>.error) {
cors.allowed_headers = AllOrSome::All;
}
<span class="self">self
</span>}
<span class="doccomment">/// Add an allowed request header.
///
/// See [`Cors::allowed_headers`] for more info on allowed request headers.
</span><span class="kw">pub fn </span>allowed_header<H>(<span class="kw-2">mut </span><span class="self">self</span>, header: H) -> Cors
<span class="kw">where
</span>H: TryInto<HeaderName>,
<H <span class="kw">as </span>TryInto<HeaderName>>::Error: Into<HttpError>,
{
<span class="kw">if let </span><span class="prelude-val">Some</span>(cors) = cors(<span class="kw-2">&mut </span><span class="self">self</span>.inner, <span class="kw-2">&</span><span class="self">self</span>.error) {
<span class="kw">match </span>header.try_into() {
<span class="prelude-val">Ok</span>(method) => {
<span class="kw">if </span>cors.allowed_headers.is_all() {
cors.allowed_headers = AllOrSome::Some(HashSet::with_capacity(<span class="number">8</span>));
}
<span class="kw">if let </span>AllOrSome::Some(<span class="kw-2">ref mut </span>headers) = cors.allowed_headers {
headers.insert(method);
}
}
<span class="prelude-val">Err</span>(err) => <span class="self">self</span>.error = <span class="prelude-val">Some</span>(Either::Left(err.into())),
}
}
<span class="self">self
</span>}
<span class="doccomment">/// Set a list of request header field names which can be used when this resource is accessed by
/// allowed origins.
///
/// If `All` is set, whatever is requested by the client in `Access-Control-Request-Headers`
/// will be echoed back in the `Access-Control-Allow-Headers` header as specified in
/// the [Fetch Standard CORS protocol].
///
/// This defaults to an empty set.
///
/// [Fetch Standard CORS protocol]: https://fetch.spec.whatwg.org/#http-cors-protocol
</span><span class="kw">pub fn </span>allowed_headers<U, H>(<span class="kw-2">mut </span><span class="self">self</span>, headers: U) -> Cors
<span class="kw">where
</span>U: IntoIterator<Item = H>,
H: TryInto<HeaderName>,
<H <span class="kw">as </span>TryInto<HeaderName>>::Error: Into<HttpError>,
{
<span class="kw">if let </span><span class="prelude-val">Some</span>(cors) = cors(<span class="kw-2">&mut </span><span class="self">self</span>.inner, <span class="kw-2">&</span><span class="self">self</span>.error) {
<span class="kw">for </span>h <span class="kw">in </span>headers {
<span class="kw">match </span>h.try_into() {
<span class="prelude-val">Ok</span>(method) => {
<span class="kw">if </span>cors.allowed_headers.is_all() {
cors.allowed_headers = AllOrSome::Some(HashSet::with_capacity(<span class="number">8</span>));
}
<span class="kw">if let </span>AllOrSome::Some(<span class="kw-2">ref mut </span>headers) = cors.allowed_headers {
headers.insert(method);
}
}
<span class="prelude-val">Err</span>(err) => {
<span class="self">self</span>.error = <span class="prelude-val">Some</span>(Either::Left(err.into()));
<span class="kw">break</span>;
}
}
}
}
<span class="self">self
</span>}
<span class="doccomment">/// Resets exposed response header list to a state where all headers are exposed.
///
/// See [`Cors::expose_headers`] for more info on exposed response headers.
</span><span class="kw">pub fn </span>expose_any_header(<span class="kw-2">mut </span><span class="self">self</span>) -> Cors {
<span class="kw">if let </span><span class="prelude-val">Some</span>(cors) = cors(<span class="kw-2">&mut </span><span class="self">self</span>.inner, <span class="kw-2">&</span><span class="self">self</span>.error) {
cors.expose_headers = AllOrSome::All;
}
<span class="self">self
</span>}
<span class="doccomment">/// Set a list of headers which are safe to expose to the API of a CORS API specification.
/// This corresponds to the `Access-Control-Expose-Headers` response header as specified in
/// the [Fetch Standard CORS protocol].
///
/// This defaults to an empty set.
///
/// [Fetch Standard CORS protocol]: https://fetch.spec.whatwg.org/#http-cors-protocol
</span><span class="kw">pub fn </span>expose_headers<U, H>(<span class="kw-2">mut </span><span class="self">self</span>, headers: U) -> Cors
<span class="kw">where
</span>U: IntoIterator<Item = H>,
H: TryInto<HeaderName>,
<H <span class="kw">as </span>TryInto<HeaderName>>::Error: Into<HttpError>,
{
<span class="kw">for </span>h <span class="kw">in </span>headers {
<span class="kw">match </span>h.try_into() {
<span class="prelude-val">Ok</span>(header) => {
<span class="kw">if let </span><span class="prelude-val">Some</span>(cors) = cors(<span class="kw-2">&mut </span><span class="self">self</span>.inner, <span class="kw-2">&</span><span class="self">self</span>.error) {
<span class="kw">if </span>cors.expose_headers.is_all() {
cors.expose_headers = AllOrSome::Some(HashSet::with_capacity(<span class="number">8</span>));
}
<span class="kw">if let </span>AllOrSome::Some(<span class="kw-2">ref mut </span>headers) = cors.expose_headers {
headers.insert(header);
}
}
}
<span class="prelude-val">Err</span>(err) => {
<span class="self">self</span>.error = <span class="prelude-val">Some</span>(Either::Left(err.into()));
<span class="kw">break</span>;
}
}
}
<span class="self">self
</span>}
<span class="doccomment">/// Set a maximum time (in seconds) for which this CORS request may be cached. This value is set
/// as the `Access-Control-Max-Age` header as specified in the [Fetch Standard CORS protocol].
///
/// Pass a number (of seconds) or use None to disable sending max age header.
///
/// [Fetch Standard CORS protocol]: https://fetch.spec.whatwg.org/#http-cors-protocol
</span><span class="kw">pub fn </span>max_age(<span class="kw-2">mut </span><span class="self">self</span>, max_age: <span class="kw">impl </span>Into<<span class="prelude-ty">Option</span><usize>>) -> Cors {
<span class="kw">if let </span><span class="prelude-val">Some</span>(cors) = cors(<span class="kw-2">&mut </span><span class="self">self</span>.inner, <span class="kw-2">&</span><span class="self">self</span>.error) {
cors.max_age = max_age.into();
}
<span class="self">self
</span>}
<span class="doccomment">/// Set to use wildcard origins.
///
/// If send wildcard is set and the `allowed_origins` parameter is `All`, a wildcard
/// `Access-Control-Allow-Origin` response header is sent, rather than the request’s
/// `Origin` header.
///
/// This **CANNOT** be used in conjunction with `allowed_origins` set to `All` and
/// `allow_credentials` set to `true`. Depending on the mode of usage, this will either result
/// in an `CorsError::CredentialsWithWildcardOrigin` error during actix launch or runtime.
///
/// Defaults to `false`.
</span><span class="kw">pub fn </span>send_wildcard(<span class="kw-2">mut </span><span class="self">self</span>) -> Cors {
<span class="kw">if let </span><span class="prelude-val">Some</span>(cors) = cors(<span class="kw-2">&mut </span><span class="self">self</span>.inner, <span class="kw-2">&</span><span class="self">self</span>.error) {
cors.send_wildcard = <span class="bool-val">true</span>;
}
<span class="self">self
</span>}
<span class="doccomment">/// Allows users to make authenticated requests
///
/// If true, injects the `Access-Control-Allow-Credentials` header in responses. This allows
/// cookies and credentials to be submitted across domains as specified in
/// the [Fetch Standard CORS protocol].
///
/// This option cannot be used in conjunction with an `allowed_origin` set to `All` and
/// `send_wildcards` set to `true`.
///
/// Defaults to `false`.
///
/// A server initialization error will occur if credentials are allowed, but the Origin is set
/// to send wildcards (`*`); this is not allowed by the CORS protocol.
///
/// [Fetch Standard CORS protocol]: https://fetch.spec.whatwg.org/#http-cors-protocol
</span><span class="kw">pub fn </span>supports_credentials(<span class="kw-2">mut </span><span class="self">self</span>) -> Cors {
<span class="kw">if let </span><span class="prelude-val">Some</span>(cors) = cors(<span class="kw-2">&mut </span><span class="self">self</span>.inner, <span class="kw-2">&</span><span class="self">self</span>.error) {
cors.supports_credentials = <span class="bool-val">true</span>;
}
<span class="self">self
</span>}
<span class="doccomment">/// Allow private network access.
///
/// If true, injects the `Access-Control-Allow-Private-Network: true` header in responses if the
/// request contained the `Access-Control-Request-Private-Network: true` header.
///
/// For more information on this behavior, see the draft [Private Network Access] spec.
///
/// Defaults to `false`.
///
/// [Private Network Access]: https://wicg.github.io/private-network-access
</span><span class="attr">#[cfg(feature = <span class="string">"draft-private-network-access"</span>)]
</span><span class="kw">pub fn </span>allow_private_network_access(<span class="kw-2">mut </span><span class="self">self</span>) -> Cors {
<span class="kw">if let </span><span class="prelude-val">Some</span>(cors) = cors(<span class="kw-2">&mut </span><span class="self">self</span>.inner, <span class="kw-2">&</span><span class="self">self</span>.error) {
cors.allow_private_network_access = <span class="bool-val">true</span>;
}
<span class="self">self
</span>}
<span class="doccomment">/// Disable `Vary` header support.
///
/// When enabled the header `Vary: Origin` will be returned as per the Fetch Standard
/// implementation guidelines.
///
/// Setting this header when the `Access-Control-Allow-Origin` is dynamically generated
/// (eg. when there is more than one allowed origin, and an Origin other than '*' is returned)
/// informs CDNs and other caches that the CORS headers are dynamic, and cannot be cached.
///
/// By default, `Vary` header support is enabled.
</span><span class="kw">pub fn </span>disable_vary_header(<span class="kw-2">mut </span><span class="self">self</span>) -> Cors {
<span class="kw">if let </span><span class="prelude-val">Some</span>(cors) = cors(<span class="kw-2">&mut </span><span class="self">self</span>.inner, <span class="kw-2">&</span><span class="self">self</span>.error) {
cors.vary_header = <span class="bool-val">false</span>;
}
<span class="self">self
</span>}
<span class="doccomment">/// Disable support for preflight requests.
///
/// When enabled CORS middleware automatically handles `OPTIONS` requests.
/// This is useful for application level middleware.
///
/// By default *preflight* support is enabled.
</span><span class="kw">pub fn </span>disable_preflight(<span class="kw-2">mut </span><span class="self">self</span>) -> Cors {
<span class="kw">if let </span><span class="prelude-val">Some</span>(cors) = cors(<span class="kw-2">&mut </span><span class="self">self</span>.inner, <span class="kw-2">&</span><span class="self">self</span>.error) {
cors.preflight = <span class="bool-val">false</span>;
}
<span class="self">self
</span>}
<span class="doccomment">/// Configures whether requests should be pre-emptively blocked on mismatched origin.
///
/// If `true`, a 400 Bad Request is returned immediately when a request fails origin validation.
///
/// If `false`, the request will be processed as normal but relevant CORS headers will not be
/// appended to the response. In this case, the browser is trusted to validate CORS headers and
/// and block requests based on pre-flight requests. Use this setting to allow cURL and other
/// non-browser HTTP clients to function as normal, no matter what `Origin` the request has.
///
/// Defaults to `true`.
</span><span class="kw">pub fn </span>block_on_origin_mismatch(<span class="kw-2">mut </span><span class="self">self</span>, block: bool) -> Cors {
<span class="kw">if let </span><span class="prelude-val">Some</span>(cors) = cors(<span class="kw-2">&mut </span><span class="self">self</span>.inner, <span class="kw-2">&</span><span class="self">self</span>.error) {
cors.block_on_origin_mismatch = block;
}
<span class="self">self
</span>}
}
<span class="kw">impl </span>Default <span class="kw">for </span>Cors {
<span class="doccomment">/// A restrictive (security paranoid) set of defaults.
///
/// *No* allowed origins, methods, request headers or exposed headers. Credentials
/// not supported. No max age (will use browser's default).
</span><span class="kw">fn </span>default() -> Cors {
<span class="kw">let </span>inner = Inner {
allowed_origins: AllOrSome::Some(HashSet::with_capacity(<span class="number">8</span>)),
allowed_origins_fns: <span class="macro">smallvec!</span>[],
allowed_methods: HashSet::with_capacity(<span class="number">8</span>),
allowed_methods_baked: <span class="prelude-val">None</span>,
allowed_headers: AllOrSome::Some(HashSet::with_capacity(<span class="number">8</span>)),
allowed_headers_baked: <span class="prelude-val">None</span>,
expose_headers: AllOrSome::Some(HashSet::with_capacity(<span class="number">8</span>)),
expose_headers_baked: <span class="prelude-val">None</span>,
max_age: <span class="prelude-val">None</span>,
preflight: <span class="bool-val">true</span>,
send_wildcard: <span class="bool-val">false</span>,
supports_credentials: <span class="bool-val">false</span>,
<span class="attr">#[cfg(feature = <span class="string">"draft-private-network-access"</span>)]
</span>allow_private_network_access: <span class="bool-val">false</span>,
vary_header: <span class="bool-val">true</span>,
block_on_origin_mismatch: <span class="bool-val">true</span>,
};
Cors {
inner: Rc::new(inner),
error: <span class="prelude-val">None</span>,
}
}
}
<span class="kw">impl</span><S, B> Transform<S, ServiceRequest> <span class="kw">for </span>Cors
<span class="kw">where
</span>S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
S::Future: <span class="lifetime">'static</span>,
B: MessageBody + <span class="lifetime">'static</span>,
{
<span class="kw">type </span>Response = ServiceResponse<EitherBody<B>>;
<span class="kw">type </span>Error = Error;
<span class="kw">type </span>InitError = ();
<span class="kw">type </span>Transform = CorsMiddleware<S>;
<span class="kw">type </span>Future = Ready<<span class="prelude-ty">Result</span><<span class="self">Self</span>::Transform, <span class="self">Self</span>::InitError>>;
<span class="kw">fn </span>new_transform(<span class="kw-2">&</span><span class="self">self</span>, service: S) -> <span class="self">Self</span>::Future {
<span class="kw">if let </span><span class="prelude-val">Some</span>(<span class="kw-2">ref </span>err) = <span class="self">self</span>.error {
<span class="kw">match </span>err {
Either::Left(err) => <span class="macro">error!</span>(<span class="string">"{}"</span>, err),
Either::Right(err) => <span class="macro">error!</span>(<span class="string">"{}"</span>, err),
}
<span class="kw">return </span>future::err(());
}
<span class="kw">let </span><span class="kw-2">mut </span>inner = Rc::clone(<span class="kw-2">&</span><span class="self">self</span>.inner);
<span class="kw">if </span>inner.supports_credentials && inner.send_wildcard && inner.allowed_origins.is_all() {
<span class="macro">error!</span>(
<span class="string">"Illegal combination of CORS options: credentials can not be supported when all \
origins are allowed and `send_wildcard` is enabled."
</span>);
<span class="kw">return </span>future::err(());
}
<span class="comment">// bake allowed headers value if Some and not empty
</span><span class="kw">match </span>inner.allowed_headers.as_ref() {
<span class="prelude-val">Some</span>(header_set) <span class="kw">if </span>!header_set.is_empty() => {
<span class="kw">let </span>allowed_headers_str = intersperse_header_values(header_set);
Rc::make_mut(<span class="kw-2">&mut </span>inner).allowed_headers_baked = <span class="prelude-val">Some</span>(allowed_headers_str);
}
<span class="kw">_ </span>=> {}
}
<span class="comment">// bake allowed methods value if not empty
</span><span class="kw">if </span>!inner.allowed_methods.is_empty() {
<span class="kw">let </span>allowed_methods_str = intersperse_header_values(<span class="kw-2">&</span>inner.allowed_methods);
Rc::make_mut(<span class="kw-2">&mut </span>inner).allowed_methods_baked = <span class="prelude-val">Some</span>(allowed_methods_str);
}
<span class="comment">// bake exposed headers value if Some and not empty
</span><span class="kw">match </span>inner.expose_headers.as_ref() {
<span class="prelude-val">Some</span>(header_set) <span class="kw">if </span>!header_set.is_empty() => {
<span class="kw">let </span>expose_headers_str = intersperse_header_values(header_set);
Rc::make_mut(<span class="kw-2">&mut </span>inner).expose_headers_baked = <span class="prelude-val">Some</span>(expose_headers_str);
}
<span class="kw">_ </span>=> {}
}
future::ok(CorsMiddleware { service, inner })
}
}
<span class="doccomment">/// Only call when values are guaranteed to be valid header values and set is not empty.
</span><span class="kw">pub</span>(<span class="kw">crate</span>) <span class="kw">fn </span>intersperse_header_values<T>(val_set: <span class="kw-2">&</span>HashSet<T>) -> HeaderValue
<span class="kw">where
</span>T: AsRef<str>,
{
<span class="macro">debug_assert!</span>(
!val_set.is_empty(),
<span class="string">"only call `intersperse_header_values` when set is not empty"
</span>);
val_set
.iter()
.fold(String::with_capacity(<span class="number">64</span>), |<span class="kw-2">mut </span>acc, val| {
acc.push_str(<span class="string">", "</span>);
acc.push_str(val.as_ref());
acc
})
<span class="comment">// set is not empty so string will always have leading ", " to trim
</span>[<span class="number">2</span>..]
.try_into()
<span class="comment">// all method names are valid header values
</span>.unwrap()
}
<span class="attr">#[cfg(test)]
</span><span class="kw">mod </span>test {
<span class="kw">use </span>std::convert::{Infallible, TryInto};
<span class="kw">use </span>actix_web::{
body,
dev::{fn_service, Transform},
http::{header::HeaderName, StatusCode},
test::{<span class="self">self</span>, TestRequest},
HttpResponse,
};
<span class="kw">use super</span>::<span class="kw-2">*</span>;
<span class="attr">#[test]
</span><span class="kw">fn </span>illegal_allow_credentials() {
<span class="comment">// using the permissive defaults (all origins allowed) and adding send_wildcard
// and supports_credentials should error on construction
</span><span class="macro">assert!</span>(Cors::permissive()
.supports_credentials()
.send_wildcard()
.new_transform(test::ok_service())
.into_inner()
.is_err());
}
<span class="attr">#[actix_web::test]
</span><span class="kw">async fn </span>restrictive_defaults() {
<span class="kw">let </span>cors = Cors::default()
.new_transform(test::ok_service())
.<span class="kw">await
</span>.unwrap();
<span class="kw">let </span>req = TestRequest::default()
.insert_header((<span class="string">"Origin"</span>, <span class="string">"https://www.example.com"</span>))
.to_srv_request();
<span class="kw">let </span>resp = test::call_service(<span class="kw-2">&</span>cors, req).<span class="kw">await</span>;
<span class="macro">assert_eq!</span>(resp.status(), StatusCode::BAD_REQUEST);
}
<span class="attr">#[actix_web::test]
</span><span class="kw">async fn </span>allowed_header_try_from() {
<span class="kw">let </span>_cors = Cors::default().allowed_header(<span class="string">"Content-Type"</span>);
}
<span class="attr">#[actix_web::test]
</span><span class="kw">async fn </span>allowed_header_try_into() {
<span class="kw">struct </span>ContentType;
<span class="kw">impl </span>TryInto<HeaderName> <span class="kw">for </span>ContentType {
<span class="kw">type </span>Error = Infallible;
<span class="kw">fn </span>try_into(<span class="self">self</span>) -> <span class="prelude-ty">Result</span><HeaderName, <span class="self">Self</span>::Error> {
<span class="prelude-val">Ok</span>(HeaderName::from_static(<span class="string">"content-type"</span>))
}
}
<span class="kw">let </span>_cors = Cors::default().allowed_header(ContentType);
}
<span class="attr">#[actix_web::test]
</span><span class="kw">async fn </span>middleware_generic_over_body_type() {
<span class="kw">let </span>srv = fn_service(|req: ServiceRequest| <span class="kw">async move </span>{
<span class="prelude-val">Ok</span>(req.into_response(HttpResponse::with_body(StatusCode::OK, body::None::new())))
});
Cors::default().new_transform(srv).<span class="kw">await</span>.unwrap();
}
}
</code></pre></div></section></main></body></html>