Skip to content
Permalink
Browse files

Only allow CORS with credentials for safe domains

  • Loading branch information...
rogeriochaves committed Jun 2, 2018
1 parent a9c90aa commit 7c4fad92a1e531197cdb3236f7126813515edc60
Showing with 11 additions and 6 deletions.
  1. +11 −6 api/src/commons/responders.rs
@@ -20,14 +20,19 @@ pub struct CredentialsCors<R>(pub R);
impl<'r, R: Responder<'r>> Responder<'r> for CredentialsCors<R> {
#[inline(always)]
fn respond_to(self, req: &Request) -> Result<Response<'r>, Status> {
let allowed_list = vec!["http://localhost:8080", "https://fakenewsdetector.org"];
let origin = format!("{}", req.headers().get("Origin").next().unwrap_or(""));

Response::build()
.merge(self.0.respond_to(req)?)
.raw_header("Access-Control-Allow-Credentials", "true")
.raw_header("Access-Control-Allow-Origin", origin)
.raw_header("Access-Control-Allow-Methods", "GET")
.ok()
if allowed_list.contains(&&*origin) {
Response::build()
.merge(self.0.respond_to(req)?)
.raw_header("Access-Control-Allow-Credentials", "true")
.raw_header("Access-Control-Allow-Origin", origin)
.raw_header("Access-Control-Allow-Methods", "GET")
.ok()
} else {
self.0.respond_to(req)
}
}
}

0 comments on commit 7c4fad9

Please sign in to comment.
You can’t perform that action at this time.