Add Cors for setting CORS headers

[davidpdrsn]

Example usage:

use http::{Request, Response, Method, header};
use hyper::Body;
use tower::{ServiceBuilder, ServiceExt, Service};
use tower_http::cors::{CorsLayer, Any};
use std::convert::Infallible;

async fn handle(request: Request<Body>) -> Result<Response<Body>, Infallible> {
    Ok(Response::new(Body::empty()))
}

let cors = CorsLayer::new()
    .allow_methods(vec![Method::GET, Method::POST, Method::OPTIONS])
    .allow_origin(Any)
    .allow_credentials(false);

let mut service = ServiceBuilder::new()
    .layer(cors)
    .service_fn(handle);

let request = Request::builder()
    .header(header::ORIGIN, "https://example.com")
    .body(Body::empty())
    .unwrap();

let response = service
    .ready()
    .await?
    .call(request)
    .await?;

assert_eq!(
    response.headers().get(header::ACCESS_CONTROL_ALLOW_ORIGIN).unwrap(),
    "*",
);

Implementation is based on CorsMiddleware from tide.

[jplatte]

I've had a look and one thing I'm missing is a little more flexibility for origins. actix_cors allows you to simply provide a closure to check origins which aren't in the allow list. In the crate docs this is part of their example:

.allowed_origin_fn(|origin, _req_head| {
  origin.as_bytes().ends_with(b".rust-lang.org")
})

and I've previously done a very similar thing with that crate, with an additional origin.starts_with(b"https://") check.

[hawkw]

I've had a look and one thing I'm missing is a little more flexibility for origins. actix_cors allows you to simply provide a closure to check origins which aren't in the allow list. In the crate docs this is part of their example:

.allowed_origin_fn(|origin, _req_head| {
  origin.as_bytes().ends_with(b".rust-lang.org")
})

and I've previously done a very similar thing with that crate, with an additional origin.starts_with(b"https://") check.

Hmm, yeah, I wonder if what we want is a trait for allowed origin predicates that can be implemented by closures and by T: Into<AnyOr<Origin>>?

[hawkw]

I wonder if it would make sense to implement the CORS logic as an AsyncPredicate for use with tower::filter. The CORS layer could then build filter services with that predicate.

OTTOH, I'm not sure how much value there is from this — most of the meat is in the Future impl, which would stay the same either way.

[davidpdrsn]

Hmm, yeah, I wonder if what we want is a trait for allowed origin predicates that can be implemented by closures and by T: Into<AnyOr>?

I like that idea! I'll experiment.

[davidpdrsn]

Another thing to consider is that since parts of this code is copied from tide, we have to include their license somewhere.

[nkconnor]

Adding my comments from Discord so I can add follow-ups given the time

[fourbytes]

Using Axum for a project at the moment and in need of a CORS layer, any idea when this will be ready?

[davidpdrsn]

Using Axum for a project at the moment and in need of a CORS layer, any idea when this will be ready?

I'm gonna look into this once axum 0.2 is released, which will happen this week. I can't give an ETA on merging this however. Until then you can apply the CORS headers manually and add a catch-all route for OPTIONS requests.

[fourbytes]

Ended up quickly forking this branch as I needed the ability to allow multiple origins which was difficult to do with manually injected headers.

With these changes it seems to be working nicely.

[davidpdrsn]

Believe I've addresses all the comments now. Thanks for the feedback!

Allow-Origin can be now determined via a closure, similar to actix-cors:

use tower_http::cors::{CorsLayer, Any};
use http::{HeaderValue, request::Parts};

let layer = CorsLayer::new().allow_origin(|origin: &HeaderValue, _request_head: &Parts| {
    origin.as_bytes().ends_with(b".rust-lang.org")
});

@jplatte @hawkw @fourbytes @nkconnor Wanna give this another look?

[nkconnor]

lg2m - thanks!

[fourbytes]

Doesn't seem to be working for me yet due to an issue with the valid method check. Other than that though, API looks great.

[jplatte]

One thing this still doesn't allow which actix-cors allows is

Cors::ctor()
    .allowed_origin("http://127.0.0.1")
    .allowed_origin("foo.bar.org")
    .allowed_origin_fn(|origin, _| {
        let origin = origin.as_bytes();
        origin.starts_with(b"https://") && origin.ends_with(b".rust-lang.org")
    })

which also means that it's impossible with the current code structure for clients to discover some of the origins that would be allowed to use a route, at least when using a closure (it will look like no origins are allowed when doing the request from a disallowed origin). I think what actix-cors does is send all origins that are specified explicitly regardless of whether they match, and additionally send the request origin back in the header if the function marks it as allowed.

I don't think it would be a problem for me, but I thought I'd still bring it up.

[davidpdrsn]

which also means that it's impossible with the current code structure for clients to discover some of the origins that would be allowed to use a route, at least when using a closure (it will look like no origins are allowed when doing the request from a disallowed origin). I think what actix-cors does is send all origins that are specified explicitly regardless of whether they match, and additionally send the request origin back in the header if the function marks it as allowed.

Hm thats a good point. I was wondering why actix that it setup the way they did. Although I do think its unfortunate to have to store both a list a allowed origins, and a closure to call if nothing else matches 🤔

I don't think it would be a problem for me, but I thought I'd still bring it up.

Would be an issue for me either. I'm leaning towards keeping it as is 🤷

[DoumanAsh]

We're interested in having cors for our ongoing migration to axum.
I've put some minor comments

[DoumanAsh]

Small suggestions to improve efficiency and performance

[silvioprog]

Hey guys, is there any plan when it will be merged?

[davidpdrsn]

I basically just have to clean up the docs and then it should be good to go. Should happen somewhat soon but dunno exactly when. I recommend going with a git dependency on tower-http for now.