Struct actix_cors::Cors

source ·
pub struct Cors { /* private fields */ }
Expand description

Builder for CORS middleware.

To construct a CORS middleware, call Cors::default() to create a blank, restrictive builder. Then use any of the builder methods to customize CORS behavior.

The alternative Cors::permissive() constructor is available for local development, allowing all origins and headers, etc. The permissive constructor should not be used in production.

Errors

Errors surface in the middleware initialization phase. This means that, if you have logs enabled in Actix Web (using env_logger or other crate that exposes logs from the log crate), error messages will outline what is wrong with the CORS configuration in the server logs and the server will fail to start up or serve requests.

Example

use actix_cors::Cors;
use actix_web::http::header;

let cors = Cors::default()
    .allowed_origin("https://www.rust-lang.org")
    .allowed_methods(vec!["GET", "POST"])
    .allowed_headers(vec![header::AUTHORIZATION, header::ACCEPT])
    .allowed_header(header::CONTENT_TYPE)
    .max_age(3600);

// `cors` can now be used in `App::wrap`.

Implementations§

source§

impl Cors

source

pub fn permissive() -> Self

A very permissive set of default for quick development. Not recommended for production use.

All origins, methods, request headers and exposed headers allowed. Credentials supported. Max age 1 hour. Does not send wildcard.

source

pub fn allow_any_origin(self) -> Cors

Resets allowed origin list to a state where any origin is accepted.

See Cors::allowed_origin for more info on allowed origins.

source

pub fn allowed_origin(self, origin: &str) -> Cors

Add an origin that is allowed to make requests.

This method allows specifying a finite set of origins to verify the value of the Origin request header. These are origin-or-null types in the Fetch Standard.

By default, no origins are accepted.

When this list is set, the client’s Origin request header will be checked in a case-sensitive manner.

When all origins are allowed and send_wildcard is set, * will be sent in the Access-Control-Allow-Origin response header. If send_wildcard is not set, the client’s Origin request header will be echoed back in the Access-Control-Allow-Origin response header.

If the origin of the request doesn’t match any allowed origins and at least one allowed_origin_fn function is set, these functions will be used to determinate allowed origins.

Initialization Errors
  • If supplied origin is not valid uri
  • If supplied origin is a wildcard (*). Cors::send_wildcard should be used instead.
source

pub fn allowed_origin_fn<F>(self, f: F) -> Corswhere F: Fn(&HeaderValue, &RequestHead) -> bool + 'static,

Determinate allowed origins by processing requests which didn’t match any origins specified in the allowed_origin.

The function will receive two parameters, the Origin header value, and the RequestHead of each request, which can be used to determine whether to allow the request or not.

If the function returns true, the client’s Origin request header will be echoed back into the Access-Control-Allow-Origin response header.

source

pub fn allow_any_method(self) -> Cors

Resets allowed methods list to all methods.

See Cors::allowed_methods for more info on allowed methods.

source

pub fn allowed_methods<U, M>(self, methods: U) -> Corswhere U: IntoIterator<Item = M>, M: TryInto<Method>, <M as TryInto<Method>>::Error: Into<HttpError>,

Set a list of methods which allowed origins can perform.

These will be sent in the Access-Control-Allow-Methods response header as specified in the Fetch Standard CORS protocol.

This defaults to an empty set.

source

pub fn allow_any_header(self) -> Cors

Resets allowed request header list to a state where any header is accepted.

See Cors::allowed_headers for more info on allowed request headers.

source

pub fn allowed_header<H>(self, header: H) -> Corswhere H: TryInto<HeaderName>, <H as TryInto<HeaderName>>::Error: Into<HttpError>,

Add an allowed request header.

See Cors::allowed_headers for more info on allowed request headers.

source

pub fn allowed_headers<U, H>(self, headers: U) -> Corswhere U: IntoIterator<Item = H>, H: TryInto<HeaderName>, <H as TryInto<HeaderName>>::Error: Into<HttpError>,

Set a list of request header field names which can be used when this resource is accessed by allowed origins.

If All is set, whatever is requested by the client in Access-Control-Request-Headers will be echoed back in the Access-Control-Allow-Headers header as specified in the Fetch Standard CORS protocol.

This defaults to an empty set.

source

pub fn expose_any_header(self) -> Cors

Resets exposed response header list to a state where all headers are exposed.

See Cors::expose_headers for more info on exposed response headers.

source

pub fn expose_headers<U, H>(self, headers: U) -> Corswhere U: IntoIterator<Item = H>, H: TryInto<HeaderName>, <H as TryInto<HeaderName>>::Error: Into<HttpError>,

Set a list of headers which are safe to expose to the API of a CORS API specification. This corresponds to the Access-Control-Expose-Headers response header as specified in the Fetch Standard CORS protocol.

This defaults to an empty set.

source

pub fn max_age(self, max_age: impl Into<Option<usize>>) -> Cors

Set a maximum time (in seconds) for which this CORS request may be cached. This value is set as the Access-Control-Max-Age header as specified in the Fetch Standard CORS protocol.

Pass a number (of seconds) or use None to disable sending max age header.

source

pub fn send_wildcard(self) -> Cors

Set to use wildcard origins.

If send wildcard is set and the allowed_origins parameter is All, a wildcard Access-Control-Allow-Origin response header is sent, rather than the request’s Origin header.

This CANNOT be used in conjunction with allowed_origins set to All and allow_credentials set to true. Depending on the mode of usage, this will either result in an CorsError::CredentialsWithWildcardOrigin error during actix launch or runtime.

Defaults to false.

source

pub fn supports_credentials(self) -> Cors

Allows users to make authenticated requests

If true, injects the Access-Control-Allow-Credentials header in responses. This allows cookies and credentials to be submitted across domains as specified in the Fetch Standard CORS protocol.

This option cannot be used in conjunction with an allowed_origin set to All and send_wildcards set to true.

Defaults to false.

A server initialization error will occur if credentials are allowed, but the Origin is set to send wildcards (*); this is not allowed by the CORS protocol.

source

pub fn allow_local_network_access(self) -> Cors

Allow private network access.

If true, injects the Access-Control-Allow-Local-Network: true header in responses if the request contained the Access-Control-Request-Local-Network: true header.

For more information on this behavior, see the draft [Local Network Access] spec.

Defaults to false.

source

pub fn disable_vary_header(self) -> Cors

Disable Vary header support.

When enabled the header Vary: Origin will be returned as per the Fetch Standard implementation guidelines.

Setting this header when the Access-Control-Allow-Origin is dynamically generated (eg. when there is more than one allowed origin, and an Origin other than ‘*’ is returned) informs CDNs and other caches that the CORS headers are dynamic, and cannot be cached.

By default, Vary header support is enabled.

source

pub fn disable_preflight(self) -> Cors

Disable support for preflight requests.

When enabled CORS middleware automatically handles OPTIONS requests. This is useful for application level middleware.

By default preflight support is enabled.

source

pub fn block_on_origin_mismatch(self, block: bool) -> Cors

Configures whether requests should be pre-emptively blocked on mismatched origin.

If true, a 400 Bad Request is returned immediately when a request fails origin validation.

If false, the request will be processed as normal but relevant CORS headers will not be appended to the response. In this case, the browser is trusted to validate CORS headers and and block requests based on pre-flight requests. Use this setting to allow cURL and other non-browser HTTP clients to function as normal, no matter what Origin the request has.

Defaults to true.

Trait Implementations§

source§

impl Debug for Cors

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
source§

impl Default for Cors

source§

fn default() -> Cors

A restrictive (security paranoid) set of defaults.

No allowed origins, methods, request headers or exposed headers. Credentials not supported. No max age (will use browser’s default).

source§

impl<S, B> Transform<S, ServiceRequest> for Corswhere S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>, S::Future: 'static, B: MessageBody + 'static,

§

type Response = ServiceResponse<EitherBody<B, BoxBody>>

Responses produced by the service.
§

type Error = Error

Errors produced by the service.
§

type InitError = ()

Errors produced while building a transform service.
§

type Transform = CorsMiddleware<S>

The TransformService value created by this factory
§

type Future = Ready<Result<<Cors as Transform<S, ServiceRequest>>::Transform, <Cors as Transform<S, ServiceRequest>>::InitError>>

The future response value.
source§

fn new_transform(&self, service: S) -> Self::Future

Creates and returns a new Transform component, asynchronously

Auto Trait Implementations§

§

impl !RefUnwindSafe for Cors

§

impl !Send for Cors

§

impl !Sync for Cors

§

impl Unpin for Cors

§

impl !UnwindSafe for Cors

Blanket Implementations§

source§

impl<T> Any for Twhere T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for Twhere T: ?Sized,

const: unstable · source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for Twhere T: ?Sized,

const: unstable · source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

const: unstable · source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T> Instrument for T

source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
source§

impl<T, U> Into<U> for Twhere U: From<T>,

const: unstable · source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> Same<T> for T

§

type Output = T

Should always be Self
source§

impl<T, U> TryFrom<U> for Twhere U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
const: unstable · source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for Twhere U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
const: unstable · source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<V, T> VZip<V> for Twhere V: MultiLane<T>,

§

fn vzip(self) -> V

source§

impl<T> WithSubscriber for T

source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more