Skip to content

Commit 60d9a66

Browse files
authored
feat(server-ng): honor [http.cors] config on the HTTP listener (#3646)
1 parent 45fac44 commit 60d9a66

3 files changed

Lines changed: 333 additions & 11 deletions

File tree

core/server-ng/Cargo.toml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,6 @@ ignored = [
7373
"strum",
7474
"sysinfo",
7575
"tempfile",
76-
"tower-http",
7776
"tracing-appender",
7877
"tracing-opentelemetry",
7978
"ulid",

core/server-ng/config.toml

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -65,19 +65,24 @@ enabled = true
6565
allowed_methods = ["GET", "POST", "PUT", "DELETE"]
6666

6767
# Defines which origins are permitted to make cross-origin requests.
68-
# An asterisk "*" allows all origins. Specific domains can be listed to restrict access.
68+
# An asterisk "*" as the first entry allows all origins (any entries after it
69+
# are ignored); "*" in any other position fails the config. Specific domains
70+
# can be listed to restrict access.
6971
allowed_origins = ["*"]
7072

7173
# Lists allowed headers that can be used in CORS requests.
7274
# For example, ["content-type"] permits only the content-type header.
7375
allowed_headers = ["content-type", "authorization"]
7476

7577
# Headers that browsers are allowed to access in CORS responses.
76-
# An empty array means no additional headers are exposed to browsers.
77-
exposed_headers = [""]
78+
# `x-iggy-view` carries the current VSR view number; exposing it lets browser
79+
# clients read it on cross-origin responses.
80+
exposed_headers = ["x-iggy-view"]
7881

7982
# Determines if credentials like cookies or HTTP auth can be included in CORS requests.
80-
# `true` allows credentials to be included, useful for authenticated sessions.
83+
# `true` allows credentials to be included, useful for authenticated sessions;
84+
# it requires explicit (non-wildcard) allowed_origins, allowed_headers, and
85+
# exposed_headers.
8186
# `false` prevents credentials, enhancing privacy and security.
8287
allow_credentials = false
8388

0 commit comments

Comments
 (0)