berkus
/
actix-web
mirror of https://github.com/fafhrd91/actix-web
1
0
Fork 0
Code Issues Releases Wiki Activity

CORS: Do not validate Origin header on non-OPTION requests 

The Origin header should not be validated on non OPTION-requests.
This provides no additional security and breaks non-web browser requests
which do not supply an origin header.

Fixes #271
This commit is contained in:
Christoph Herzog 2018-06-02 21:49:18 +02:00
parent 3c472a2f66
commit 4f9dbf74bf
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/middleware/cors.rs
View File

@ -424,7 +424,10 @@ impl<S> Middleware<S> for Cors {
.finish(), .finish(),
)) ))
} else { } else {
// Only check requests with a origin header.
if req.headers().contains_key(header::ORIGIN) {
self.validate_origin(req)?; self.validate_origin(req)?;
}
Ok(Started::Done) Ok(Started::Done)
} }