Summary
Config exposes http_cors / get_http_cors() and the README documents CORS behavior, but ServerBuilder::new(io).threads(4).start_http(...) in src/rpc.rs does not attach any CORS middleware or headers.
Impact
- Operators may falsely believe browser CORS is restricted when it is not (or the opposite, depending on default library behavior).
- Browser-based dApps may see inconsistent behavior vs. documentation.
Suggested fix
Either wire CORS into the HTTP stack used by jsonrpc-http-server (if supported), document that CORS must be handled at the reverse proxy, or remove unused config to avoid confusion.
References
src/rpc.rs (ServerBuilder)src/config.rs (get_http_cors)
Summary
Configexposeshttp_cors/get_http_cors()and the README documents CORS behavior, butServerBuilder::new(io).threads(4).start_http(...)insrc/rpc.rsdoes not attach any CORS middleware or headers.Impact
Suggested fix
Either wire CORS into the HTTP stack used by
jsonrpc-http-server(if supported), document that CORS must be handled at the reverse proxy, or remove unused config to avoid confusion.References
src/rpc.rs(ServerBuilder)src/config.rs(get_http_cors)