mirrors/actix-web
1
0
Fork 0
mirror of https://github.com/actix/actix-web.git synced 2025-06-05 06:38:47 +00:00
Code Issues Projects Releases Wiki Activity

CORS: Do not validate Origin header on non-OPTION requests

Browse source 
The Origin header should not be validated on non OPTION-requests.
This provides no additional security and breaks non-web browser requests
which do not supply an origin header.

Fixes #271
This commit is contained in:
Christoph Herzog 2018-06-02 21:49:18 +02:00
parent 3c472a2f66
commit 4f9dbf74bf
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
src/middleware/cors.rs
View file

@ -424,7 +424,10 @@ impl<S> Middleware<S> for Cors {
.finish(),
))
} else {
self.validate_origin(req)?;
// Only check requests with a origin header.
if req.headers().contains_key(header::ORIGIN) {
self.validate_origin(req)?;
}
Ok(Started::Done)
}