Skip to content

Commit

Permalink
Only allow CORS with credentials for safe domains
Browse files Browse the repository at this point in the history
  • Loading branch information
@rogeriochaves
rogeriochaves committed Jun 2, 2018
1 parent a9c90aa commit 7c4fad9
Showing 1 changed file with 11 additions and 6 deletions.
17 changes: 11 additions & 6 deletions api/src/commons/responders.rs
View file
Expand Up @@ -20,14 +20,19 @@ pub struct CredentialsCors<R>(pub R);
impl<'r, R: Responder<'r>> Responder<'r> for CredentialsCors<R> { impl<'r, R: Responder<'r>> Responder<'r> for CredentialsCors<R> {
#[inline(always)] #[inline(always)]
fn respond_to(self, req: &Request) -> Result<Response<'r>, Status> { fn respond_to(self, req: &Request) -> Result<Response<'r>, Status> {
let allowed_list = vec!["http://localhost:8080", "https://fakenewsdetector.org"];
let origin = format!("{}", req.headers().get("Origin").next().unwrap_or("")); let origin = format!("{}", req.headers().get("Origin").next().unwrap_or(""));


Response::build() if allowed_list.contains(&&*origin) {
.merge(self.0.respond_to(req)?) Response::build()
.raw_header("Access-Control-Allow-Credentials", "true") .merge(self.0.respond_to(req)?)
.raw_header("Access-Control-Allow-Origin", origin) .raw_header("Access-Control-Allow-Credentials", "true")
.raw_header("Access-Control-Allow-Methods", "GET") .raw_header("Access-Control-Allow-Origin", origin)
.ok() .raw_header("Access-Control-Allow-Methods", "GET")
.ok()
} else {
self.0.respond_to(req)
}
} }
} }


Expand Down

0 comments on commit 7c4fad9

Please sign in to comment.