Skip to content

feat(server-ng): honor [http.cors] config on the HTTP listener#3646

Merged
hubcio merged 2 commits into
masterfrom
feat/server-ng-http-cors
Jul 12, 2026
Merged

feat(server-ng): honor [http.cors] config on the HTTP listener#3646
hubcio merged 2 commits into
masterfrom
feat/server-ng-http-cors

Conversation

@hubcio

@hubcio hubcio commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

The listener deserialized [http.cors] (shipped with
enabled = true) but never read it: no CorsLayer was
installed, so browser clients were blocked and every cors
field in the config was silently dead.

Port the legacy server's mapping: empty origin list =
tower-http default, leading "*" = any origin, otherwise
an explicit allow-list; entries are trimmed, blank ones
dropped, and an unknown method fails the boot loudly
instead of passing through as a custom token.

Unlike the legacy port, configs tower-http rejects by
panicking (a "*" origin past the first position, or
allow_credentials combined with a wildcard origin,
header, or expose list) fail as InvalidConfiguration,
and cors is validated before bind so a bad config never
prints the "started" log or opens the socket.

The layer is outermost because server-ng authenticates
per route: a preflight OPTIONS carries no Authorization
and matches no method route, so it must be answered
before dispatch. Also expose x-iggy-view instead of the
"" placeholder so browser clients can read the view
header cross-origin.

@github-actions github-actions Bot added the S-waiting-on-review PR is waiting on a reviewer label Jul 10, 2026
@codecov

codecov Bot commented Jul 10, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 85.99034% with 29 lines in your changes missing coverage. Please review.
✅ Project coverage is 21.16%. Comparing base (45fac44) to head (a92d5ad).

Files with missing lines Patch % Lines
core/server-ng/src/http.rs 85.99% 13 Missing and 16 partials ⚠️
Additional details and impacted files
@@              Coverage Diff              @@
##             master    #3646       +/-   ##
=============================================
- Coverage     73.47%   21.16%   -52.32%     
  Complexity      937      937               
=============================================
  Files          1286     1283        -3     
  Lines        141019   122433    -18586     
  Branches     116908    98367    -18541     
=============================================
- Hits         103619    25917    -77702     
- Misses        34175    95737    +61562     
+ Partials       3225      779     -2446     
Components Coverage Δ
Rust Core 7.99% <85.99%> (-65.72%) ⬇️
Java SDK 62.44% <ø> (ø)
C# SDK 71.40% <ø> (-0.68%) ⬇️
Python SDK 91.65% <ø> (ø)
PHP SDK 84.29% <ø> (ø)
Node SDK 91.35% <ø> (ø)
Go SDK 42.28% <ø> (ø)
Files with missing lines Coverage Δ
core/server-ng/src/http.rs 55.27% <85.99%> (+55.27%) ⬆️

... and 747 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

The listener deserialized [http.cors] (shipped with
enabled = true) but never read it: no CorsLayer was
installed, so browser clients were blocked and every cors
field in the config was silently dead.

Port the legacy server's mapping: empty origin list =
tower-http default, leading "*" = any origin, otherwise
an explicit allow-list; entries are trimmed, blank ones
dropped, and an unknown method fails the boot loudly
instead of passing through as a custom token.

Unlike the legacy port, configs tower-http rejects by
panicking (a "*" origin past the first position, or
allow_credentials combined with a wildcard origin,
header, or expose list) fail as InvalidConfiguration,
and cors is validated before bind so a bad config never
prints the "started" log or opens the socket.

The layer is outermost because server-ng authenticates
per route: a preflight OPTIONS carries no Authorization
and matches no method route, so it must be answered
before dispatch. Also expose x-iggy-view instead of the
"" placeholder so browser clients can read the view
header cross-origin.
@hubcio hubcio force-pushed the feat/server-ng-http-cors branch from c8127fc to 299b568 Compare July 11, 2026 17:44
@hubcio hubcio merged commit 60d9a66 into master Jul 12, 2026
92 checks passed
@hubcio hubcio deleted the feat/server-ng-http-cors branch July 12, 2026 20:39
@github-actions github-actions Bot removed the S-waiting-on-review PR is waiting on a reviewer label Jul 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants