<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="generator" content="rustdoc"><meta name="description" content="Source to the Rust file `src/middleware/csrf.rs`."><meta name="keywords" content="rust, rustlang, rust-lang"><title>csrf.rs.html -- source</title><link rel="stylesheet" type="text/css" href="../../../normalize.css"><link rel="stylesheet" type="text/css" href="../../../rustdoc.css" id="mainThemeStyle"><link rel="stylesheet" type="text/css" href="../../../dark.css"><link rel="stylesheet" type="text/css" href="../../../light.css" id="themeStyle"><script src="../../../storage.js"></script></head><body class="rustdoc source"><!--[if lte IE 8]><div class="warning">This old browser is unsupported and will most likely display funky things.</div><![endif]--><nav class="sidebar"><div class="sidebar-menu">☰</div></nav><div class="theme-picker"><button id="theme-picker" aria-label="Pick another theme!"><img src="../../../brush.svg" width="18" alt="Pick another theme!"></button><div id="theme-choices"></div></div><script src="../../../theme.js"></script><nav class="sub"><form class="search-form js-only"><div class="search-container"><input class="search-input" name="search" autocomplete="off" placeholder="Click or press ‘S’ to search, ‘?’ for more options…" type="search"><a id="settings-menu" href="../../../settings.html"><img src="../../../wheel.svg" width="18" alt="Change settings"></a></div></form></nav><section id="main" class="content"><pre class="line-numbers"><span id="1"> 1</span>
<span id="2"> 2</span>
<span id="3"> 3</span>
<span id="4"> 4</span>
<span id="5"> 5</span>
<span id="6"> 6</span>
<span id="7"> 7</span>
<span id="8"> 8</span>
<span id="9"> 9</span>
<span id="10"> 10</span>
<span id="11"> 11</span>
<span id="12"> 12</span>
<span id="13"> 13</span>
<span id="14"> 14</span>
<span id="15"> 15</span>
<span id="16"> 16</span>
<span id="17"> 17</span>
<span id="18"> 18</span>
<span id="19"> 19</span>
<span id="20"> 20</span>
<span id="21"> 21</span>
<span id="22"> 22</span>
<span id="23"> 23</span>
<span id="24"> 24</span>
<span id="25"> 25</span>
<span id="26"> 26</span>
<span id="27"> 27</span>
<span id="28"> 28</span>
<span id="29"> 29</span>
<span id="30"> 30</span>
<span id="31"> 31</span>
<span id="32"> 32</span>
<span id="33"> 33</span>
<span id="34"> 34</span>
<span id="35"> 35</span>
<span id="36"> 36</span>
<span id="37"> 37</span>
<span id="38"> 38</span>
<span id="39"> 39</span>
<span id="40"> 40</span>
<span id="41"> 41</span>
<span id="42"> 42</span>
<span id="43"> 43</span>
<span id="44"> 44</span>
<span id="45"> 45</span>
<span id="46"> 46</span>
<span id="47"> 47</span>
<span id="48"> 48</span>
<span id="49"> 49</span>
<span id="50"> 50</span>
<span id="51"> 51</span>
<span id="52"> 52</span>
<span id="53"> 53</span>
<span id="54"> 54</span>
<span id="55"> 55</span>
<span id="56"> 56</span>
<span id="57"> 57</span>
<span id="58"> 58</span>
<span id="59"> 59</span>
<span id="60"> 60</span>
<span id="61"> 61</span>
<span id="62"> 62</span>
<span id="63"> 63</span>
<span id="64"> 64</span>
<span id="65"> 65</span>
<span id="66"> 66</span>
<span id="67"> 67</span>
<span id="68"> 68</span>
<span id="69"> 69</span>
<span id="70"> 70</span>
<span id="71"> 71</span>
<span id="72"> 72</span>
<span id="73"> 73</span>
<span id="74"> 74</span>
<span id="75"> 75</span>
<span id="76"> 76</span>
<span id="77"> 77</span>
<span id="78"> 78</span>
<span id="79"> 79</span>
<span id="80"> 80</span>
<span id="81"> 81</span>
<span id="82"> 82</span>
<span id="83"> 83</span>
<span id="84"> 84</span>
<span id="85"> 85</span>
<span id="86"> 86</span>
<span id="87"> 87</span>
<span id="88"> 88</span>
<span id="89"> 89</span>
<span id="90"> 90</span>
<span id="91"> 91</span>
<span id="92"> 92</span>
<span id="93"> 93</span>
<span id="94"> 94</span>
<span id="95"> 95</span>
<span id="96"> 96</span>
<span id="97"> 97</span>
<span id="98"> 98</span>
<span id="99"> 99</span>
<span id="100">100</span>
<span id="101">101</span>
<span id="102">102</span>
<span id="103">103</span>
<span id="104">104</span>
<span id="105">105</span>
<span id="106">106</span>
<span id="107">107</span>
<span id="108">108</span>
<span id="109">109</span>
<span id="110">110</span>
<span id="111">111</span>
<span id="112">112</span>
<span id="113">113</span>
<span id="114">114</span>
<span id="115">115</span>
<span id="116">116</span>
<span id="117">117</span>
<span id="118">118</span>
<span id="119">119</span>
<span id="120">120</span>
<span id="121">121</span>
<span id="122">122</span>
<span id="123">123</span>
<span id="124">124</span>
<span id="125">125</span>
<span id="126">126</span>
<span id="127">127</span>
<span id="128">128</span>
<span id="129">129</span>
<span id="130">130</span>
<span id="131">131</span>
<span id="132">132</span>
<span id="133">133</span>
<span id="134">134</span>
<span id="135">135</span>
<span id="136">136</span>
<span id="137">137</span>
<span id="138">138</span>
<span id="139">139</span>
<span id="140">140</span>
<span id="141">141</span>
<span id="142">142</span>
<span id="143">143</span>
<span id="144">144</span>
<span id="145">145</span>
<span id="146">146</span>
<span id="147">147</span>
<span id="148">148</span>
<span id="149">149</span>
<span id="150">150</span>
<span id="151">151</span>
<span id="152">152</span>
<span id="153">153</span>
<span id="154">154</span>
<span id="155">155</span>
<span id="156">156</span>
<span id="157">157</span>
<span id="158">158</span>
<span id="159">159</span>
<span id="160">160</span>
<span id="161">161</span>
<span id="162">162</span>
<span id="163">163</span>
<span id="164">164</span>
<span id="165">165</span>
<span id="166">166</span>
<span id="167">167</span>
<span id="168">168</span>
<span id="169">169</span>
<span id="170">170</span>
<span id="171">171</span>
<span id="172">172</span>
<span id="173">173</span>
<span id="174">174</span>
<span id="175">175</span>
<span id="176">176</span>
<span id="177">177</span>
<span id="178">178</span>
<span id="179">179</span>
<span id="180">180</span>
<span id="181">181</span>
<span id="182">182</span>
<span id="183">183</span>
<span id="184">184</span>
<span id="185">185</span>
<span id="186">186</span>
<span id="187">187</span>
<span id="188">188</span>
<span id="189">189</span>
<span id="190">190</span>
<span id="191">191</span>
<span id="192">192</span>
<span id="193">193</span>
<span id="194">194</span>
<span id="195">195</span>
<span id="196">196</span>
<span id="197">197</span>
<span id="198">198</span>
<span id="199">199</span>
<span id="200">200</span>
<span id="201">201</span>
<span id="202">202</span>
<span id="203">203</span>
<span id="204">204</span>
<span id="205">205</span>
<span id="206">206</span>
<span id="207">207</span>
<span id="208">208</span>
<span id="209">209</span>
<span id="210">210</span>
<span id="211">211</span>
<span id="212">212</span>
<span id="213">213</span>
<span id="214">214</span>
<span id="215">215</span>
<span id="216">216</span>
<span id="217">217</span>
<span id="218">218</span>
<span id="219">219</span>
<span id="220">220</span>
<span id="221">221</span>
<span id="222">222</span>
<span id="223">223</span>
<span id="224">224</span>
<span id="225">225</span>
<span id="226">226</span>
<span id="227">227</span>
<span id="228">228</span>
<span id="229">229</span>
<span id="230">230</span>
<span id="231">231</span>
<span id="232">232</span>
<span id="233">233</span>
<span id="234">234</span>
<span id="235">235</span>
<span id="236">236</span>
<span id="237">237</span>
<span id="238">238</span>
<span id="239">239</span>
<span id="240">240</span>
<span id="241">241</span>
<span id="242">242</span>
<span id="243">243</span>
<span id="244">244</span>
<span id="245">245</span>
<span id="246">246</span>
<span id="247">247</span>
<span id="248">248</span>
<span id="249">249</span>
<span id="250">250</span>
<span id="251">251</span>
<span id="252">252</span>
<span id="253">253</span>
<span id="254">254</span>
<span id="255">255</span>
<span id="256">256</span>
<span id="257">257</span>
<span id="258">258</span>
<span id="259">259</span>
<span id="260">260</span>
<span id="261">261</span>
<span id="262">262</span>
<span id="263">263</span>
<span id="264">264</span>
<span id="265">265</span>
<span id="266">266</span>
<span id="267">267</span>
<span id="268">268</span>
<span id="269">269</span>
<span id="270">270</span>
<span id="271">271</span>
<span id="272">272</span>
<span id="273">273</span>
<span id="274">274</span>
<span id="275">275</span>
<span id="276">276</span>
</pre><pre class="rust ">
<span class="doccomment">//! A filter for cross-site request forgery (CSRF).</span>
<span class="doccomment">//!</span>
<span class="doccomment">//! This middleware is stateless and [based on request</span>
<span class="doccomment">//! headers](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Verifying_Same_Origin_with_Standard_Headers).</span>
<span class="doccomment">//!</span>
<span class="doccomment">//! By default requests are allowed only if one of these is true:</span>
<span class="doccomment">//!</span>
<span class="doccomment">//! * The request method is safe (`GET`, `HEAD`, `OPTIONS`). It is the</span>
<span class="doccomment">//! applications responsibility to ensure these methods cannot be used to</span>
<span class="doccomment">//! execute unwanted actions. Note that upgrade requests for websockets are</span>
<span class="doccomment">//! also considered safe.</span>
<span class="doccomment">//! * The `Origin` header (added automatically by the browser) matches one</span>
<span class="doccomment">//! of the allowed origins.</span>
<span class="doccomment">//! * There is no `Origin` header but the `Referer` header matches one of</span>
<span class="doccomment">//! the allowed origins.</span>
<span class="doccomment">//!</span>
<span class="doccomment">//! Use [`CsrfFilter::allow_xhr()`](struct.CsrfFilter.html#method.allow_xhr)</span>
<span class="doccomment">//! if you want to allow requests with unprotected methods via</span>
<span class="doccomment">//! [CORS](../cors/struct.Cors.html).</span>
<span class="doccomment">//!</span>
<span class="doccomment">//! # Example</span>
<span class="doccomment">//!</span>
<span class="doccomment">//! ```</span>
<span class="doccomment">//! # extern crate actix_web;</span>
<span class="doccomment">//! use actix_web::middleware::csrf;</span>
<span class="doccomment">//! use actix_web::{http, App, HttpRequest, HttpResponse};</span>
<span class="doccomment">//!</span>
<span class="doccomment">//! fn handle_post(_: &HttpRequest) -> &'static str {</span>
<span class="doccomment">//! "This action should only be triggered with requests from the same site"</span>
<span class="doccomment">//! }</span>
<span class="doccomment">//!</span>
<span class="doccomment">//! fn main() {</span>
<span class="doccomment">//! let app = App::new()</span>
<span class="doccomment">//! .middleware(</span>
<span class="doccomment">//! csrf::CsrfFilter::new().allowed_origin("https://www.example.com"),</span>
<span class="doccomment">//! )</span>
<span class="doccomment">//! .resource("/", |r| {</span>
<span class="doccomment">//! r.method(http::Method::GET).f(|_| HttpResponse::Ok());</span>
<span class="doccomment">//! r.method(http::Method::POST).f(handle_post);</span>
<span class="doccomment">//! })</span>
<span class="doccomment">//! .finish();</span>
<span class="doccomment">//! }</span>
<span class="doccomment">//! ```</span>
<span class="doccomment">//!</span>
<span class="doccomment">//! In this example the entire application is protected from CSRF.</span>
<span class="kw">use</span> <span class="ident">std</span>::<span class="ident">borrow</span>::<span class="ident">Cow</span>;
<span class="kw">use</span> <span class="ident">std</span>::<span class="ident">collections</span>::<span class="ident">HashSet</span>;
<span class="kw">use</span> <span class="ident">bytes</span>::<span class="ident">Bytes</span>;
<span class="kw">use</span> <span class="ident">error</span>::{<span class="ident">ResponseError</span>, <span class="prelude-ty">Result</span>};
<span class="kw">use</span> <span class="ident">http</span>::{<span class="ident">header</span>, <span class="ident">HeaderMap</span>, <span class="ident">HttpTryFrom</span>, <span class="ident">Uri</span>};
<span class="kw">use</span> <span class="ident">httprequest</span>::<span class="ident">HttpRequest</span>;
<span class="kw">use</span> <span class="ident">httpresponse</span>::<span class="ident">HttpResponse</span>;
<span class="kw">use</span> <span class="ident">middleware</span>::{<span class="ident">Middleware</span>, <span class="ident">Started</span>};
<span class="kw">use</span> <span class="ident">server</span>::<span class="ident">Request</span>;
<span class="doccomment">/// Potential cross-site request forgery detected.</span>
<span class="attribute">#[<span class="ident">derive</span>(<span class="ident">Debug</span>, <span class="ident">Fail</span>)]</span>
<span class="kw">pub</span> <span class="kw">enum</span> <span class="ident">CsrfError</span> {
<span class="doccomment">/// The HTTP request header `Origin` was required but not provided.</span>
<span class="attribute">#[<span class="ident">fail</span>(<span class="ident">display</span> <span class="op">=</span> <span class="string">"Origin header required"</span>)]</span>
<span class="ident">MissingOrigin</span>,
<span class="doccomment">/// The HTTP request header `Origin` could not be parsed correctly.</span>
<span class="attribute">#[<span class="ident">fail</span>(<span class="ident">display</span> <span class="op">=</span> <span class="string">"Could not parse Origin header"</span>)]</span>
<span class="ident">BadOrigin</span>,
<span class="doccomment">/// The cross-site request was denied.</span>
<span class="attribute">#[<span class="ident">fail</span>(<span class="ident">display</span> <span class="op">=</span> <span class="string">"Cross-site request denied"</span>)]</span>
<span class="ident">CsrDenied</span>,
}
<span class="kw">impl</span> <span class="ident">ResponseError</span> <span class="kw">for</span> <span class="ident">CsrfError</span> {
<span class="kw">fn</span> <span class="ident">error_response</span>(<span class="kw-2">&</span><span class="self">self</span>) <span class="op">-></span> <span class="ident">HttpResponse</span> {
<span class="ident">HttpResponse</span>::<span class="ident">Forbidden</span>().<span class="ident">body</span>(<span class="self">self</span>.<span class="ident">to_string</span>())
}
}
<span class="kw">fn</span> <span class="ident">uri_origin</span>(<span class="ident">uri</span>: <span class="kw-2">&</span><span class="ident">Uri</span>) <span class="op">-></span> <span class="prelude-ty">Option</span><span class="op"><</span><span class="ident">String</span><span class="op">></span> {
<span class="kw">match</span> (<span class="ident">uri</span>.<span class="ident">scheme_part</span>(), <span class="ident">uri</span>.<span class="ident">host</span>(), <span class="ident">uri</span>.<span class="ident">port</span>()) {
(<span class="prelude-val">Some</span>(<span class="ident">scheme</span>), <span class="prelude-val">Some</span>(<span class="ident">host</span>), <span class="prelude-val">Some</span>(<span class="ident">port</span>)) <span class="op">=></span> {
<span class="prelude-val">Some</span>(<span class="macro">format</span><span class="macro">!</span>(<span class="string">"{}://{}:{}"</span>, <span class="ident">scheme</span>, <span class="ident">host</span>, <span class="ident">port</span>))
}
(<span class="prelude-val">Some</span>(<span class="ident">scheme</span>), <span class="prelude-val">Some</span>(<span class="ident">host</span>), <span class="prelude-val">None</span>) <span class="op">=></span> <span class="prelude-val">Some</span>(<span class="macro">format</span><span class="macro">!</span>(<span class="string">"{}://{}"</span>, <span class="ident">scheme</span>, <span class="ident">host</span>)),
<span class="kw">_</span> <span class="op">=></span> <span class="prelude-val">None</span>,
}
}
<span class="kw">fn</span> <span class="ident">origin</span>(<span class="ident">headers</span>: <span class="kw-2">&</span><span class="ident">HeaderMap</span>) <span class="op">-></span> <span class="prelude-ty">Option</span><span class="op"><</span><span class="prelude-ty">Result</span><span class="op"><</span><span class="ident">Cow</span><span class="op"><</span><span class="ident">str</span><span class="op">></span>, <span class="ident">CsrfError</span><span class="op">>></span> {
<span class="ident">headers</span>
.<span class="ident">get</span>(<span class="ident">header</span>::<span class="ident">ORIGIN</span>)
.<span class="ident">map</span>(<span class="op">|</span><span class="ident">origin</span><span class="op">|</span> {
<span class="ident">origin</span>
.<span class="ident">to_str</span>()
.<span class="ident">map_err</span>(<span class="op">|</span><span class="kw">_</span><span class="op">|</span> <span class="ident">CsrfError</span>::<span class="ident">BadOrigin</span>)
.<span class="ident">map</span>(<span class="op">|</span><span class="ident">o</span><span class="op">|</span> <span class="ident">o</span>.<span class="ident">into</span>())
})
.<span class="ident">or_else</span>(<span class="op">||</span> {
<span class="ident">headers</span>.<span class="ident">get</span>(<span class="ident">header</span>::<span class="ident">REFERER</span>).<span class="ident">map</span>(<span class="op">|</span><span class="ident">referer</span><span class="op">|</span> {
<span class="ident">Uri</span>::<span class="ident">try_from</span>(<span class="ident">Bytes</span>::<span class="ident">from</span>(<span class="ident">referer</span>.<span class="ident">as_bytes</span>()))
.<span class="ident">ok</span>()
.<span class="ident">as_ref</span>()
.<span class="ident">and_then</span>(<span class="ident">uri_origin</span>)
.<span class="ident">ok_or</span>(<span class="ident">CsrfError</span>::<span class="ident">BadOrigin</span>)
.<span class="ident">map</span>(<span class="op">|</span><span class="ident">o</span><span class="op">|</span> <span class="ident">o</span>.<span class="ident">into</span>())
})
})
}
<span class="doccomment">/// A middleware that filters cross-site requests.</span>
<span class="doccomment">///</span>
<span class="doccomment">/// To construct a CSRF filter:</span>
<span class="doccomment">///</span>
<span class="doccomment">/// 1. Call [`CsrfFilter::build`](struct.CsrfFilter.html#method.build) to</span>
<span class="doccomment">/// start building.</span>
<span class="doccomment">/// 2. [Add](struct.CsrfFilterBuilder.html#method.allowed_origin) allowed</span>
<span class="doccomment">/// origins.</span>
<span class="doccomment">/// 3. Call [finish](struct.CsrfFilterBuilder.html#method.finish) to retrieve</span>
<span class="doccomment">/// the constructed filter.</span>
<span class="doccomment">///</span>
<span class="doccomment">/// # Example</span>
<span class="doccomment">///</span>
<span class="doccomment">/// ```</span>
<span class="doccomment">/// use actix_web::middleware::csrf;</span>
<span class="doccomment">/// use actix_web::App;</span>
<span class="doccomment">///</span>
<span class="doccomment">/// # fn main() {</span>
<span class="doccomment">/// let app = App::new()</span>
<span class="doccomment">/// .middleware(csrf::CsrfFilter::new().allowed_origin("https://www.example.com"));</span>
<span class="doccomment">/// # }</span>
<span class="doccomment">/// ```</span>
<span class="attribute">#[<span class="ident">derive</span>(<span class="ident">Default</span>)]</span>
<span class="kw">pub</span> <span class="kw">struct</span> <span class="ident">CsrfFilter</span> {
<span class="ident">origins</span>: <span class="ident">HashSet</span><span class="op"><</span><span class="ident">String</span><span class="op">></span>,
<span class="ident">allow_xhr</span>: <span class="ident">bool</span>,
<span class="ident">allow_missing_origin</span>: <span class="ident">bool</span>,
<span class="ident">allow_upgrade</span>: <span class="ident">bool</span>,
}
<span class="kw">impl</span> <span class="ident">CsrfFilter</span> {
<span class="doccomment">/// Start building a `CsrfFilter`.</span>
<span class="kw">pub</span> <span class="kw">fn</span> <span class="ident">new</span>() <span class="op">-></span> <span class="ident">CsrfFilter</span> {
<span class="ident">CsrfFilter</span> {
<span class="ident">origins</span>: <span class="ident">HashSet</span>::<span class="ident">new</span>(),
<span class="ident">allow_xhr</span>: <span class="bool-val">false</span>,
<span class="ident">allow_missing_origin</span>: <span class="bool-val">false</span>,
<span class="ident">allow_upgrade</span>: <span class="bool-val">false</span>,
}
}
<span class="doccomment">/// Add an origin that is allowed to make requests. Will be verified</span>
<span class="doccomment">/// against the `Origin` request header.</span>
<span class="kw">pub</span> <span class="kw">fn</span> <span class="ident">allowed_origin</span><span class="op"><</span><span class="ident">T</span>: <span class="ident">Into</span><span class="op"><</span><span class="ident">String</span><span class="op">>></span>(<span class="kw-2">mut</span> <span class="self">self</span>, <span class="ident">origin</span>: <span class="ident">T</span>) <span class="op">-></span> <span class="ident">CsrfFilter</span> {
<span class="self">self</span>.<span class="ident">origins</span>.<span class="ident">insert</span>(<span class="ident">origin</span>.<span class="ident">into</span>());
<span class="self">self</span>
}
<span class="doccomment">/// Allow all requests with an `X-Requested-With` header.</span>
<span class="doccomment">///</span>
<span class="doccomment">/// A cross-site attacker should not be able to send requests with custom</span>
<span class="doccomment">/// headers unless a CORS policy whitelists them. Therefore it should be</span>
<span class="doccomment">/// safe to allow requests with an `X-Requested-With` header (added</span>
<span class="doccomment">/// automatically by many JavaScript libraries).</span>
<span class="doccomment">///</span>
<span class="doccomment">/// This is disabled by default, because in Safari it is possible to</span>
<span class="doccomment">/// circumvent this using redirects and Flash.</span>
<span class="doccomment">///</span>
<span class="doccomment">/// Use this method to enable more lax filtering.</span>
<span class="kw">pub</span> <span class="kw">fn</span> <span class="ident">allow_xhr</span>(<span class="kw-2">mut</span> <span class="self">self</span>) <span class="op">-></span> <span class="ident">CsrfFilter</span> {
<span class="self">self</span>.<span class="ident">allow_xhr</span> <span class="op">=</span> <span class="bool-val">true</span>;
<span class="self">self</span>
}
<span class="doccomment">/// Allow requests if the expected `Origin` header is missing (and</span>
<span class="doccomment">/// there is no `Referer` to fall back on).</span>
<span class="doccomment">///</span>
<span class="doccomment">/// The filter is conservative by default, but it should be safe to allow</span>
<span class="doccomment">/// missing `Origin` headers because a cross-site attacker cannot prevent</span>
<span class="doccomment">/// the browser from sending `Origin` on unprotected requests.</span>
<span class="kw">pub</span> <span class="kw">fn</span> <span class="ident">allow_missing_origin</span>(<span class="kw-2">mut</span> <span class="self">self</span>) <span class="op">-></span> <span class="ident">CsrfFilter</span> {
<span class="self">self</span>.<span class="ident">allow_missing_origin</span> <span class="op">=</span> <span class="bool-val">true</span>;
<span class="self">self</span>
}
<span class="doccomment">/// Allow cross-site upgrade requests (for example to open a WebSocket).</span>
<span class="kw">pub</span> <span class="kw">fn</span> <span class="ident">allow_upgrade</span>(<span class="kw-2">mut</span> <span class="self">self</span>) <span class="op">-></span> <span class="ident">CsrfFilter</span> {
<span class="self">self</span>.<span class="ident">allow_upgrade</span> <span class="op">=</span> <span class="bool-val">true</span>;
<span class="self">self</span>
}
<span class="kw">fn</span> <span class="ident">validate</span>(<span class="kw-2">&</span><span class="self">self</span>, <span class="ident">req</span>: <span class="kw-2">&</span><span class="ident">Request</span>) <span class="op">-></span> <span class="prelude-ty">Result</span><span class="op"><</span>(), <span class="ident">CsrfError</span><span class="op">></span> {
<span class="kw">let</span> <span class="ident">is_upgrade</span> <span class="op">=</span> <span class="ident">req</span>.<span class="ident">headers</span>().<span class="ident">contains_key</span>(<span class="ident">header</span>::<span class="ident">UPGRADE</span>);
<span class="kw">let</span> <span class="ident">is_safe</span> <span class="op">=</span> <span class="ident">req</span>.<span class="ident">method</span>().<span class="ident">is_safe</span>() <span class="op">&&</span> (<span class="self">self</span>.<span class="ident">allow_upgrade</span> <span class="op">||</span> <span class="op">!</span><span class="ident">is_upgrade</span>);
<span class="kw">if</span> <span class="ident">is_safe</span> <span class="op">||</span> (<span class="self">self</span>.<span class="ident">allow_xhr</span> <span class="op">&&</span> <span class="ident">req</span>.<span class="ident">headers</span>().<span class="ident">contains_key</span>(<span class="string">"x-requested-with"</span>))
{
<span class="prelude-val">Ok</span>(())
} <span class="kw">else</span> <span class="kw">if</span> <span class="kw">let</span> <span class="prelude-val">Some</span>(<span class="ident">header</span>) <span class="op">=</span> <span class="ident">origin</span>(<span class="ident">req</span>.<span class="ident">headers</span>()) {
<span class="kw">match</span> <span class="ident">header</span> {
<span class="prelude-val">Ok</span>(<span class="kw-2">ref</span> <span class="ident">origin</span>) <span class="kw">if</span> <span class="self">self</span>.<span class="ident">origins</span>.<span class="ident">contains</span>(<span class="ident">origin</span>.<span class="ident">as_ref</span>()) <span class="op">=></span> <span class="prelude-val">Ok</span>(()),
<span class="prelude-val">Ok</span>(<span class="kw">_</span>) <span class="op">=></span> <span class="prelude-val">Err</span>(<span class="ident">CsrfError</span>::<span class="ident">CsrDenied</span>),
<span class="prelude-val">Err</span>(<span class="ident">err</span>) <span class="op">=></span> <span class="prelude-val">Err</span>(<span class="ident">err</span>),
}
} <span class="kw">else</span> <span class="kw">if</span> <span class="self">self</span>.<span class="ident">allow_missing_origin</span> {
<span class="prelude-val">Ok</span>(())
} <span class="kw">else</span> {
<span class="prelude-val">Err</span>(<span class="ident">CsrfError</span>::<span class="ident">MissingOrigin</span>)
}
}
}
<span class="kw">impl</span><span class="op"><</span><span class="ident">S</span><span class="op">></span> <span class="ident">Middleware</span><span class="op"><</span><span class="ident">S</span><span class="op">></span> <span class="kw">for</span> <span class="ident">CsrfFilter</span> {
<span class="kw">fn</span> <span class="ident">start</span>(<span class="kw-2">&</span><span class="self">self</span>, <span class="ident">req</span>: <span class="kw-2">&</span><span class="ident">HttpRequest</span><span class="op"><</span><span class="ident">S</span><span class="op">></span>) <span class="op">-></span> <span class="prelude-ty">Result</span><span class="op"><</span><span class="ident">Started</span><span class="op">></span> {
<span class="self">self</span>.<span class="ident">validate</span>(<span class="ident">req</span>)<span class="question-mark">?</span>;
<span class="prelude-val">Ok</span>(<span class="ident">Started</span>::<span class="ident">Done</span>)
}
}
<span class="attribute">#[<span class="ident">cfg</span>(<span class="ident">test</span>)]</span>
<span class="kw">mod</span> <span class="ident">tests</span> {
<span class="kw">use</span> <span class="kw">super</span>::<span class="kw-2">*</span>;
<span class="kw">use</span> <span class="ident">http</span>::<span class="ident">Method</span>;
<span class="kw">use</span> <span class="ident">test</span>::<span class="ident">TestRequest</span>;
<span class="attribute">#[<span class="ident">test</span>]</span>
<span class="kw">fn</span> <span class="ident">test_safe</span>() {
<span class="kw">let</span> <span class="ident">csrf</span> <span class="op">=</span> <span class="ident">CsrfFilter</span>::<span class="ident">new</span>().<span class="ident">allowed_origin</span>(<span class="string">"https://www.example.com"</span>);
<span class="kw">let</span> <span class="ident">req</span> <span class="op">=</span> <span class="ident">TestRequest</span>::<span class="ident">with_header</span>(<span class="string">"Origin"</span>, <span class="string">"https://www.w3.org"</span>)
.<span class="ident">method</span>(<span class="ident">Method</span>::<span class="ident">HEAD</span>)
.<span class="ident">finish</span>();
<span class="macro">assert</span><span class="macro">!</span>(<span class="ident">csrf</span>.<span class="ident">start</span>(<span class="kw-2">&</span><span class="ident">req</span>).<span class="ident">is_ok</span>());
}
<span class="attribute">#[<span class="ident">test</span>]</span>
<span class="kw">fn</span> <span class="ident">test_csrf</span>() {
<span class="kw">let</span> <span class="ident">csrf</span> <span class="op">=</span> <span class="ident">CsrfFilter</span>::<span class="ident">new</span>().<span class="ident">allowed_origin</span>(<span class="string">"https://www.example.com"</span>);
<span class="kw">let</span> <span class="ident">req</span> <span class="op">=</span> <span class="ident">TestRequest</span>::<span class="ident">with_header</span>(<span class="string">"Origin"</span>, <span class="string">"https://www.w3.org"</span>)
.<span class="ident">method</span>(<span class="ident">Method</span>::<span class="ident">POST</span>)
.<span class="ident">finish</span>();
<span class="macro">assert</span><span class="macro">!</span>(<span class="ident">csrf</span>.<span class="ident">start</span>(<span class="kw-2">&</span><span class="ident">req</span>).<span class="ident">is_err</span>());
}
<span class="attribute">#[<span class="ident">test</span>]</span>
<span class="kw">fn</span> <span class="ident">test_referer</span>() {
<span class="kw">let</span> <span class="ident">csrf</span> <span class="op">=</span> <span class="ident">CsrfFilter</span>::<span class="ident">new</span>().<span class="ident">allowed_origin</span>(<span class="string">"https://www.example.com"</span>);
<span class="kw">let</span> <span class="ident">req</span> <span class="op">=</span> <span class="ident">TestRequest</span>::<span class="ident">with_header</span>(
<span class="string">"Referer"</span>,
<span class="string">"https://www.example.com/some/path?query=param"</span>,
).<span class="ident">method</span>(<span class="ident">Method</span>::<span class="ident">POST</span>)
.<span class="ident">finish</span>();
<span class="macro">assert</span><span class="macro">!</span>(<span class="ident">csrf</span>.<span class="ident">start</span>(<span class="kw-2">&</span><span class="ident">req</span>).<span class="ident">is_ok</span>());
}
<span class="attribute">#[<span class="ident">test</span>]</span>
<span class="kw">fn</span> <span class="ident">test_upgrade</span>() {
<span class="kw">let</span> <span class="ident">strict_csrf</span> <span class="op">=</span> <span class="ident">CsrfFilter</span>::<span class="ident">new</span>().<span class="ident">allowed_origin</span>(<span class="string">"https://www.example.com"</span>);
<span class="kw">let</span> <span class="ident">lax_csrf</span> <span class="op">=</span> <span class="ident">CsrfFilter</span>::<span class="ident">new</span>()
.<span class="ident">allowed_origin</span>(<span class="string">"https://www.example.com"</span>)
.<span class="ident">allow_upgrade</span>();
<span class="kw">let</span> <span class="ident">req</span> <span class="op">=</span> <span class="ident">TestRequest</span>::<span class="ident">with_header</span>(<span class="string">"Origin"</span>, <span class="string">"https://cswsh.com"</span>)
.<span class="ident">header</span>(<span class="string">"Connection"</span>, <span class="string">"Upgrade"</span>)
.<span class="ident">header</span>(<span class="string">"Upgrade"</span>, <span class="string">"websocket"</span>)
.<span class="ident">method</span>(<span class="ident">Method</span>::<span class="ident">GET</span>)
.<span class="ident">finish</span>();
<span class="macro">assert</span><span class="macro">!</span>(<span class="ident">strict_csrf</span>.<span class="ident">start</span>(<span class="kw-2">&</span><span class="ident">req</span>).<span class="ident">is_err</span>());
<span class="macro">assert</span><span class="macro">!</span>(<span class="ident">lax_csrf</span>.<span class="ident">start</span>(<span class="kw-2">&</span><span class="ident">req</span>).<span class="ident">is_ok</span>());
}
}
</pre>
</section><section id="search" class="content hidden"></section><section class="footer"></section><aside id="help" class="hidden"><div><h1 class="hidden">Help</h1><div class="shortcuts"><h2>Keyboard Shortcuts</h2><dl><dt><kbd>?</kbd></dt><dd>Show this help dialog</dd><dt><kbd>S</kbd></dt><dd>Focus the search field</dd><dt><kbd>↑</kbd></dt><dd>Move up in search results</dd><dt><kbd>↓</kbd></dt><dd>Move down in search results</dd><dt><kbd>↹</kbd></dt><dd>Switch tab</dd><dt><kbd>⏎</kbd></dt><dd>Go to active search result</dd><dt><kbd>+</kbd></dt><dd>Expand all sections</dd><dt><kbd>-</kbd></dt><dd>Collapse all sections</dd></dl></div><div class="infos"><h2>Search Tricks</h2><p>Prefix searches with a type followed by a colon (e.g. <code>fn:</code>) to restrict the search to a given type.</p><p>Accepted types are: <code>fn</code>, <code>mod</code>, <code>struct</code>, <code>enum</code>, <code>trait</code>, <code>type</code>, <code>macro</code>, and <code>const</code>.</p><p>Search functions by type signature (e.g. <code>vec -> usize</code> or <code>* -> vec</code>)</p><p>Search multiple things at once by splitting your query with comma (e.g. <code>str,u8</code> or <code>String,struct:Vec,test</code>)</p></div></div></aside><script>window.rootPath = "../../../";window.currentCrate = "actix_web";</script><script src="../../../aliases.js"></script><script src="../../../main.js"></script><script defer src="../../../search-index.js"></script></body></html>