1
0
Fork 0
mirror of https://github.com/actix/actix-web.git synced 2024-11-26 11:31:09 +00:00

CORS: Do not validate Origin header on non-OPTION requests #271

This commit is contained in:
Nikolay Kim 2018-06-05 07:39:47 -07:00
parent 67ee24f9a0
commit f94fd9ebee

View file

@ -424,7 +424,10 @@ impl<S> Middleware<S> for Cors {
.finish(),
))
} else {
self.validate_origin(req)?;
// Only check requests with a origin header.
if req.headers().contains_key(header::ORIGIN) {
self.validate_origin(req)?;
}
Ok(Started::Done)
}
@ -1007,16 +1010,15 @@ mod tests {
assert!(cors.start(&mut req).unwrap().is_done());
}
#[test]
#[should_panic(expected = "MissingOrigin")]
fn test_validate_missing_origin() {
let mut cors = Cors::build()
.allowed_origin("https://www.example.com")
.finish();
let mut req = HttpRequest::default();
cors.start(&mut req).unwrap();
}
// #[test]
// #[should_panic(expected = "MissingOrigin")]
// fn test_validate_missing_origin() {
// let mut cors = Cors::build()
// .allowed_origin("https://www.example.com")
// .finish();
// let mut req = HttpRequest::default();
// cors.start(&mut req).unwrap();
// }
#[test]
#[should_panic(expected = "OriginNotAllowed")]
@ -1133,10 +1135,19 @@ mod tests {
})
});
let request = srv.get().uri(srv.url("/test")).finish().unwrap();
let request = srv
.get()
.uri(srv.url("/test"))
.header("ORIGIN", "https://www.example2.com")
.finish()
.unwrap();
let response = srv.execute(request.send()).unwrap();
assert_eq!(response.status(), StatusCode::BAD_REQUEST);
let request = srv.get().uri(srv.url("/test")).finish().unwrap();
let response = srv.execute(request.send()).unwrap();
assert_eq!(response.status(), StatusCode::OK);
let request = srv
.get()
.uri(srv.url("/test"))