From 4f9dbf74bff7e8f98e367e3b70ed350e2e5f00ba Mon Sep 17 00:00:00 2001
From: Christoph Herzog <chris@theduke.at>
Date: Sat, 2 Jun 2018 21:49:18 +0200
Subject: [PATCH] CORS: Do not validate Origin header on non-OPTION requests

The Origin header should not be validated on non OPTION-requests.
This provides no additional security and breaks non-web browser requests
which do not supply an origin header.

Fixes #271
---
 src/middleware/cors.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/middleware/cors.rs b/src/middleware/cors.rs
index 3549ba11b..4bb82defc 100644
--- a/src/middleware/cors.rs
+++ b/src/middleware/cors.rs
@@ -424,7 +424,10 @@ impl<S> Middleware<S> for Cors {
                     .finish(),
             ))
         } else {
-            self.validate_origin(req)?;
+            // Only check requests with a origin header.
+            if req.headers().contains_key(header::ORIGIN) {
+                self.validate_origin(req)?;
+            }
 
             Ok(Started::Done)
         }