Only return a single Origin value (#644)

Only return a single origin if matched.
2024-11-23 16:21:06 +01:00 · 2018-12-24 19:16:07 +01:00 · 2018-12-24 19:16:07 +01:00 · bfdf762062
commit bfdf762062
parent 477bf0d8ae
2 changed files with 61 additions and 16 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -11,6 +11,7 @@
 ### Fixed

 * HTTP1 decoder should perform case-insentive comparison for client requests (e.g. `Keep-Alive`). #631
+* Access-Control-Allow-Origin header should only a return a single, matching origin. #603

 ## [0.7.16] - 2018-12-11

--- a/src/middleware/cors.rs
+++ b/src/middleware/cors.rs
@ -442,11 +442,23 @@ impl<S> Middleware<S> for Cors {
                        .insert(header::ACCESS_CONTROL_ALLOW_ORIGIN, origin.clone());
                }
            }
-            AllOrSome::Some(_) => {
-                resp.headers_mut().insert(
-                    header::ACCESS_CONTROL_ALLOW_ORIGIN,
-                    self.inner.origins_str.as_ref().unwrap().clone(),
-                );
+            AllOrSome::Some(ref origins) => {
+                if let Some(origin) = req.headers().get(header::ORIGIN).filter(|o| {
+                        match o.to_str() {
+                            Ok(os) => origins.contains(os),
+                            _ => false
+                        }
+                    }) {
+                    resp.headers_mut().insert(
+                        header::ACCESS_CONTROL_ALLOW_ORIGIN,
+                        origin.clone(),
+                    );
+                } else {
+                    resp.headers_mut().insert(
+                        header::ACCESS_CONTROL_ALLOW_ORIGIN,
+                        self.inner.origins_str.as_ref().unwrap().clone()
+                    );
+                };
            }
        }

@ -1134,17 +1146,10 @@ mod tests {
            .to_str()
            .unwrap();

-        if origins_str.starts_with("https://www.example.com") {
-            assert_eq!(
-                "https://www.example.com, https://www.google.com",
-                origins_str
-            );
-        } else {
-            assert_eq!(
-                "https://www.google.com, https://www.example.com",
-                origins_str
-            );
-        }
+        assert_eq!(
+            "https://www.example.com",
+            origins_str
+        );
    }

    #[test]
@ -1180,4 +1185,43 @@ mod tests {
        let response = srv.execute(request.send()).unwrap();
        assert_eq!(response.status(), StatusCode::OK);
    }
+
+    #[test]
+    fn test_multiple_origins() {
+        let cors = Cors::build()
+            .allowed_origin("https://example.com")
+            .allowed_origin("https://example.org")
+            .allowed_methods(vec![Method::GET])
+            .finish();
+
+
+        let req = TestRequest::with_header("Origin", "https://example.com")
+            .method(Method::GET)
+            .finish();
+        let resp: HttpResponse = HttpResponse::Ok().into();
+
+        let resp = cors.response(&req, resp).unwrap().response();
+        print!("{:?}", resp);
+        assert_eq!(
+            &b"https://example.com"[..],
+            resp.headers()
+                .get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
+                .unwrap()
+                .as_bytes()
+        );
+
+        let req = TestRequest::with_header("Origin", "https://example.org")
+            .method(Method::GET)
+            .finish();
+        let resp: HttpResponse = HttpResponse::Ok().into();
+
+        let resp = cors.response(&req, resp).unwrap().response();
+        assert_eq!(
+            &b"https://example.org"[..],
+            resp.headers()
+                .get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
+                .unwrap()
+                .as_bytes()
+        );
+    }
 }