Search code examples
rustcorsactix-web

Cors headers not set with Actix_Cors using Actix_Web server written in Rust

I have written a web server in Rust using Actix_Web. Im preparing it for production so I wanted to add Cors to the server to improve security. I have used the Actix_Cors package to do that and implemented a test with a basic server. When calling the end point however the Cors headers are not set and the server accepts connections from any client even though I have restricted it to a domain that should not work. I'm not sure why this isn't working and have debugged it the best I can. I have followed the instructions for setting up my server precisely as in the Actix-Cors documentation. Could someone help me work out why its not working?

Main function:

use actix_cors::Cors;
use actix_web::{get, http, web, App, HttpRequest, HttpResponse, HttpServer};

#[get("/index.html")]
async fn index(req: HttpRequest) -> &'static str {
    "<p>Hello World!</p>"
}

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    HttpServer::new(|| {
        let cors = Cors::default()
            .allowed_origin("https://www.rust-lang.org/")
            .allowed_origin_fn(|origin, _req_head| origin.as_bytes().ends_with(b".rust-lang.org"))
            .allowed_methods(vec!["GET", "POST"])
            .allowed_headers(vec![http::header::AUTHORIZATION, http::header::ACCEPT])
            .allowed_header(http::header::CONTENT_TYPE)
            .max_age(3600);

        App::new().wrap(cors).service(index)
    })
    .bind(("127.0.0.1", 8080))?
    .run()
    .await;

    Ok(())
}

My cargo.toml is:

[dependencies]
actix-cors = "0.5.4"
actix-web = "3.3.2"

When I call the index file I get a success when I should not as it should be refused or blocked.

GET /index.html HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: localhost:8080
User-Agent: HTTPie/2.4.0



HTTP/1.1 200 OK
content-length: 19
content-type: text/plain; charset=utf-8
date: Tue, 04 May 2021 07:47:02 GMT

<p>Hello World!</p>

Thank you for your help.

Solution

  • I think you mix the Authorization with CORS. The CORS doesn't mean you are unable to direct access the page, it means if you are accessing site A, and in site A, some javascript is trying to access some resources on site B, the brower will decide whether you can access Site B base on the CORS settings.

    In your case, you are allowing the "https://www.rust-lang.org" to access your site (http://127.0.0.1/index.html). This means if somehow the "https://www.rust-lang.org" want to have a javascript code to access your local site, the brower will allow it to do so. But in practice, rust-lang.org will almost never try to access your localhost, so this is just purely an code example of actix cors.

    I think what you are looking for is a Authorization middware, the CORS doesn't fit your purpose.