1
0
Fork 0
mirror of https://github.com/actix/actix-web.git synced 2024-12-23 00:26:34 +00:00

Only return a single Origin value (#644)

Only return a single origin if matched.
This commit is contained in:
BlueC0re 2018-12-24 19:16:07 +01:00 committed by Douman
parent 477bf0d8ae
commit bfdf762062
2 changed files with 61 additions and 16 deletions

View file

@ -11,6 +11,7 @@
### Fixed ### Fixed
* HTTP1 decoder should perform case-insentive comparison for client requests (e.g. `Keep-Alive`). #631 * HTTP1 decoder should perform case-insentive comparison for client requests (e.g. `Keep-Alive`). #631
* Access-Control-Allow-Origin header should only a return a single, matching origin. #603
## [0.7.16] - 2018-12-11 ## [0.7.16] - 2018-12-11

View file

@ -442,11 +442,23 @@ impl<S> Middleware<S> for Cors {
.insert(header::ACCESS_CONTROL_ALLOW_ORIGIN, origin.clone()); .insert(header::ACCESS_CONTROL_ALLOW_ORIGIN, origin.clone());
} }
} }
AllOrSome::Some(_) => { AllOrSome::Some(ref origins) => {
if let Some(origin) = req.headers().get(header::ORIGIN).filter(|o| {
match o.to_str() {
Ok(os) => origins.contains(os),
_ => false
}
}) {
resp.headers_mut().insert( resp.headers_mut().insert(
header::ACCESS_CONTROL_ALLOW_ORIGIN, header::ACCESS_CONTROL_ALLOW_ORIGIN,
self.inner.origins_str.as_ref().unwrap().clone(), origin.clone(),
); );
} else {
resp.headers_mut().insert(
header::ACCESS_CONTROL_ALLOW_ORIGIN,
self.inner.origins_str.as_ref().unwrap().clone()
);
};
} }
} }
@ -1134,17 +1146,10 @@ mod tests {
.to_str() .to_str()
.unwrap(); .unwrap();
if origins_str.starts_with("https://www.example.com") {
assert_eq!( assert_eq!(
"https://www.example.com, https://www.google.com", "https://www.example.com",
origins_str origins_str
); );
} else {
assert_eq!(
"https://www.google.com, https://www.example.com",
origins_str
);
}
} }
#[test] #[test]
@ -1180,4 +1185,43 @@ mod tests {
let response = srv.execute(request.send()).unwrap(); let response = srv.execute(request.send()).unwrap();
assert_eq!(response.status(), StatusCode::OK); assert_eq!(response.status(), StatusCode::OK);
} }
#[test]
fn test_multiple_origins() {
let cors = Cors::build()
.allowed_origin("https://example.com")
.allowed_origin("https://example.org")
.allowed_methods(vec![Method::GET])
.finish();
let req = TestRequest::with_header("Origin", "https://example.com")
.method(Method::GET)
.finish();
let resp: HttpResponse = HttpResponse::Ok().into();
let resp = cors.response(&req, resp).unwrap().response();
print!("{:?}", resp);
assert_eq!(
&b"https://example.com"[..],
resp.headers()
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
.unwrap()
.as_bytes()
);
let req = TestRequest::with_header("Origin", "https://example.org")
.method(Method::GET)
.finish();
let resp: HttpResponse = HttpResponse::Ok().into();
let resp = cors.response(&req, resp).unwrap().response();
assert_eq!(
&b"https://example.org"[..],
resp.headers()
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
.unwrap()
.as_bytes()
);
}
} }