saret/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-11-04 12:18:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

Change CORS headers

Browse Source 
Only add Allow-Origin to all requests and move the others to preflight OPTIONS request.
If Origin is `file://` change it to the wildcard.
This commit is contained in:
vpl
2019-10-01 17:26:58 +02:00
parent 8367d1d715
commit 7b1da527a6
1 changed files with 12 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/util.rs
View File

@@ -42,6 +42,13 @@ impl CORS {
_ => "".to_string(),
}
}
fn valid_url(url: String) -> String {
match url.as_ref() {
"file://" => "*".to_string(),
_ => url,
}
}
}
impl Fairing for CORS {
@@ -56,21 +63,17 @@ impl Fairing for CORS {
let req_headers = request.headers();
// We need to explicitly get the Origin header for Access-Control-Allow-Origin
let req_allow_origin = CORS::get_header(&req_headers, "Origin");
let req_allow_origin = CORS::valid_url(CORS::get_header(&req_headers, "Origin"));
let req_allow_headers = CORS::get_header(&req_headers, "Access-Control-Request-Headers");
response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin));
let req_allow_method = CORS::get_header(&req_headers,"Access-Control-Request-Method");
if request.method() == Method::Options {
let req_allow_headers = CORS::get_header(&req_headers, "Access-Control-Request-Headers");
let req_allow_method = CORS::get_header(&req_headers,"Access-Control-Request-Method");
if request.method() == Method::Options || response.content_type() == Some(ContentType::JSON) {
// Requests with credentials need explicit values since they do not allow wildcards.
response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin));
response.set_header(Header::new("Access-Control-Allow-Methods", req_allow_method));
response.set_header(Header::new("Access-Control-Allow-Headers", req_allow_headers));
response.set_header(Header::new("Access-Control-Allow-Credentials", "true"));
}
if request.method() == Method::Options {
response.set_status(Status::Ok);
response.set_header(ContentType::Plain);
response.set_sized_body(Cursor::new(""));