From 1b298142e3b954003b419db015796bbcc702adcd Mon Sep 17 00:00:00 2001 From: Douman Date: Fri, 21 Sep 2018 08:45:22 +0300 Subject: [PATCH] Correct composing of multiple origins in cors (#518) --- CHANGES.md | 1 + src/middleware/cors.rs | 20 +++++++++++--------- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 36b6dc765..ecdb65ef1 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -5,6 +5,7 @@ ### Fixed * HTTP1 decoding errors are reported to the client. #512 +* Correctly compose multiple allowed origins in CORS. #517 ## [0.7.8] - 2018-09-17 diff --git a/src/middleware/cors.rs b/src/middleware/cors.rs index e75dc73ee..f1adf0c4b 100644 --- a/src/middleware/cors.rs +++ b/src/middleware/cors.rs @@ -826,8 +826,8 @@ impl CorsBuilder { if let AllOrSome::Some(ref origins) = cors.origins { let s = origins .iter() - .fold(String::new(), |s, v| s + &v.to_string()); - cors.origins_str = Some(HeaderValue::try_from(s.as_str()).unwrap()); + .fold(String::new(), |s, v| format!("{}, {}", s, v)); + cors.origins_str = Some(HeaderValue::try_from(&s[2..]).unwrap()); } if !self.expose_hdrs.is_empty() { @@ -1122,16 +1122,18 @@ mod tests { let cors = Cors::build() .disable_vary_header() .allowed_origin("https://www.example.com") + .allowed_origin("https://www.google.com") .finish(); let resp: HttpResponse = HttpResponse::Ok().into(); let resp = cors.response(&req, resp).unwrap().response(); - assert_eq!( - &b"https://www.example.com"[..], - resp.headers() - .get(header::ACCESS_CONTROL_ALLOW_ORIGIN) - .unwrap() - .as_bytes() - ); + + let origins_str = resp.headers().get(header::ACCESS_CONTROL_ALLOW_ORIGIN).unwrap().to_str().unwrap(); + + if origins_str.starts_with("https://www.example.com") { + assert_eq!("https://www.example.com, https://www.google.com", origins_str); + } else { + assert_eq!("https://www.google.com, https://www.example.com", origins_str); + } } #[test]