Correct composing of multiple origins in cors (actix#518)

ncmd · Sep 21, 2018 · 1b29814 · 1b29814
1 parent 0dc9665
commit 1b29814
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 9 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -5,6 +5,7 @@
 ### Fixed
 
 * HTTP1 decoding errors are reported to the client. #512
+* Correctly compose multiple allowed origins in CORS. #517
 
 ## [0.7.8] - 2018-09-17
 

diff --git a/src/middleware/cors.rs b/src/middleware/cors.rs
@@ -826,8 +826,8 @@ impl<S: 'static> CorsBuilder<S> {
         if let AllOrSome::Some(ref origins) = cors.origins {
             let s = origins
                 .iter()
-                .fold(String::new(), |s, v| s + &v.to_string());
-            cors.origins_str = Some(HeaderValue::try_from(s.as_str()).unwrap());
+                .fold(String::new(), |s, v| format!("{}, {}", s, v));
+            cors.origins_str = Some(HeaderValue::try_from(&s[2..]).unwrap());
         }
 
         if !self.expose_hdrs.is_empty() {
@@ -1122,16 +1122,18 @@ mod tests {
         let cors = Cors::build()
             .disable_vary_header()
             .allowed_origin("https://www.example.com")
+            .allowed_origin("https://www.google.com")
             .finish();
         let resp: HttpResponse = HttpResponse::Ok().into();
         let resp = cors.response(&req, resp).unwrap().response();
-        assert_eq!(
-            &b"https://www.example.com"[..],
-            resp.headers()
-                .get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
-                .unwrap()
-                .as_bytes()
-        );
+
+        let origins_str = resp.headers().get(header::ACCESS_CONTROL_ALLOW_ORIGIN).unwrap().to_str().unwrap();
+
+        if origins_str.starts_with("https://www.example.com") {
+            assert_eq!("https://www.example.com, https://www.google.com", origins_str);
+        } else {
+            assert_eq!("https://www.google.com, https://www.example.com", origins_str);
+        }
     }
 
     #[test]