-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rewrite the CORS middleware #237
Conversation
bb6071e
to
663dd1d
Compare
Still one last thing left to do but if CI passes there should be no more rebases (the last change will be a separate commit). |
I just wanted to highlight that this PR as-is does not change what happens when there is no origin. I read that it's a best practice to include |
It was never constructed.
…request While this should generally be unnecessary, it doesn't hurt apart from the small amount of additional header bytes transmitted and can be helpful in weird edge cases.
663dd1d
to
0e34a8d
Compare
Well, scratch that. The origin is now no longer required for CORS stuff to be sent, since I didn't really see the downside to changing it that way and it even simplified the code. The closure CORS settings constructors still have an origin parameter though, and will not run if there is no origin. Instead, when a closure is configured, we just don't set the corresponding header. I think this should be sufficient for all the use cases I've heard of so far, but with the new design it should be backwards-compatible to introduce a new closure variant without the origin and stuff like that anyways. This is now finally ready for review! 🎉 |
Note that CORS layer can't work since tower-rs/tower-http#237 has not been released yet.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this looks great! Thanks for working on it.
Wanna add a changelog entry as well?
But why have only one changelog entry when you can have five? 😄 |
@davidpdrsn Just out of curiosity, I need this new cors middleware in Axum, do you plan to release a new version soon ? |
I do yes. Once #250 has landed I'll prepare a release. Until then you can depend on tower-http via a git dependency. |
Closes #194
Motivation
The CORS middleware could use some streamlining internally and also doesn't offer all of the functionality that people want from it.
Solution
This PR basically rewrites how the
cors::ResponseFuture
is built (but changes very little about how its structure andFuture
impl). It builds on my previous refactorings, but still amounts to a very large diff (mostly due to reorganizing how header values are obtained). It might be easier to read the new module entirely than to look at the diffNotes
This is a work in progress, I still need toAllowOrigin
,ExposeHeaders
and such)Vary
header application (currently there's just a hardcoded list of headers there, which seems wrong)Cors::permissive()
(potential names would bepermissive_with_credentials
,very_permissive
,extremely_permissive
,anything_goes
)AllowCredentials::yes()
is combined withAny
headers / origin / ...permissive()
#[must_use]
to most / all of the types in thecors
module