feat: add CORS access control header to the API

Fix #118.
anna-is-cute · Jun 12, 2019 · fa908ee · fa908ee
1 parent f4f6955
commit fa908ee
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/webserver/src/routes/web/fairings/security_headers.rs b/webserver/src/routes/web/fairings/security_headers.rs
@@ -15,10 +15,14 @@ impl Fairing for SecurityHeaders {
     }
   }
 
-  fn on_response(&self, _: &Request, resp: &mut Response) {
+  fn on_response(&self, req: &Request, resp: &mut Response) {
     resp.set_header(Header::new("X-Frame-Options", "DENY"));
     resp.set_header(Header::new("X-XSS-Protection", "1; mode=block"));
     resp.set_header(Header::new("X-Content-Type-Options", "nosniff"));
     resp.set_header(Header::new("Referrer-Policy", "strict-origin-when-cross-origin"));
+
+    if req.uri().path().starts_with("/api/") {
+      resp.set_header(Header::new("Access-Control-Allow-Origin", "*"));
+    }
   }
 }