vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README

commit d821389c2e838c1533bc9e1f5757a5c5719b05e0
parent e7b8602e1f20e0c31327b3aee122a79c08b7282b
Author: Daniel GarcĂ­a <dani-garcia@users.noreply.github.com>
Date:   Sat,  5 Oct 2019 16:09:33 +0200

Merge pull request #639 from vverst/cors-update

Change CORS headers
Diffstat:
Msrc/util.rs | 21++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/src/util.rs b/src/util.rs @@ -42,6 +42,13 @@ impl CORS { _ => "".to_string(), } } + + fn valid_url(url: String) -> String { + match url.as_ref() { + "file://" => "*".to_string(), + _ => url, + } + } } impl Fairing for CORS { @@ -56,21 +63,17 @@ impl Fairing for CORS { let req_headers = request.headers(); // We need to explicitly get the Origin header for Access-Control-Allow-Origin - let req_allow_origin = CORS::get_header(&req_headers, "Origin"); + let req_allow_origin = CORS::valid_url(CORS::get_header(&req_headers, "Origin")); - let req_allow_headers = CORS::get_header(&req_headers, "Access-Control-Request-Headers"); + response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin)); - let req_allow_method = CORS::get_header(&req_headers,"Access-Control-Request-Method"); + if request.method() == Method::Options { + let req_allow_headers = CORS::get_header(&req_headers, "Access-Control-Request-Headers"); + let req_allow_method = CORS::get_header(&req_headers,"Access-Control-Request-Method"); - if request.method() == Method::Options || response.content_type() == Some(ContentType::JSON) { - // Requests with credentials need explicit values since they do not allow wildcards. - response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin)); response.set_header(Header::new("Access-Control-Allow-Methods", req_allow_method)); response.set_header(Header::new("Access-Control-Allow-Headers", req_allow_headers)); response.set_header(Header::new("Access-Control-Allow-Credentials", "true")); - } - - if request.method() == Method::Options { response.set_status(Status::Ok); response.set_header(ContentType::Plain); response.set_sized_body(Cursor::new(""));