berkus
/
actix-web
mirror of https://github.com/fafhrd91/actix-web
1
0
Fork 0
Code Issues Releases Wiki Activity

CORS: Do not validate Origin header on non-OPTION requests 

The Origin header should not be validated on non OPTION-requests.
This provides no additional security and breaks non-web browser requests
which do not supply an origin header.

Fixes #271
This commit is contained in:
Christoph Herzog 2018-06-02 21:49:18 +02:00
parent 3c472a2f66
commit 4f9dbf74bf
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/middleware/cors.rs
View File

@ -424,7 +424,10 @@ impl<S> Middleware<S> for Cors {
.finish(),
))
} else {
self.validate_origin(req)?;
// Only check requests with a origin header.
if req.headers().contains_key(header::ORIGIN) {
self.validate_origin(req)?;
}
Ok(Started::Done)
}