Closed rts-gordon closed 2 years ago
That looks like it should work, does it not?
This CORS opens up everything though, the code for a more specific one is pretty simple if you'd like to update it:
#[middleware_fn]
pub async fn cors<T: 'static + Context + Send>(
mut context: T,
next: MiddlewareNext<T>,
) -> MiddlewareResult<T> {
context.set("Access-Control-Allow-Origin", "*");
context.set("Access-Control-Allow-Headers", "*");
context.set(
"Access-Control-Allow-Methods",
"GET, POST, PUT, DELETE, OPTIONS",
);
next(context).await
}
You'd adjust the fields as necessary.
Thanks @trezm I update the code a little follow as yours, but it did not work. I can still access mydomain.com from other address, like wss://bridge.otherdomain.com.
#[middleware_fn]
async fn cors(mut context: Ctx, next: MiddlewareNext<Ctx>) -> MiddlewareResult<Ctx> {
context.set("Access-Control-Allow-Origin", "wss://bridge.mydomain.com");
context.set("Access-Control-Allow-Headers", "*");
context.set(
"Access-Control-Allow-Methods",
"GET, POST, PUT, DELETE, OPTIONS",
);
next(context).await
}
I add some conditions, and test with https://bridge.mydomain.com, but it still did not work.
context.set("Access-Control-Allow-Credentials", "true");
what's the response look like if you curl that endpoint? Testing the builtin cors middleware I see all of the correct cors headers:
curl -v http://localhost:4321/plaintext
* Trying ::1:4321...
* connect to ::1 port 4321 failed: Connection refused
* Trying 127.0.0.1:4321...
* Connected to localhost (127.0.0.1) port 4321 (#0)
> GET /plaintext HTTP/1.1
> Host: localhost:4321
> User-Agent: curl/7.77.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< server: thruster
< access-control-allow-origin: *
< access-control-allow-headers: *
< access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS
< content-length: 13
< date: Fri, 25 Mar 2022 16:23:28 GMT
<
* Connection #0 to host localhost left intact
Hello, World!%
Is the context perhaps getting overwritten in some downstream middleware?
I set the allow-origin to "https://bridge.mydomain.com", so if someone access from other domain, the access will be refused, is this correct? But I found that still can access this domain from other domains.
The curl response as follows:
$ curl -v http://localhost:3101/plaintext
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying ::1:3101...
* Trying 127.0.0.1:3101...
* Connected to localhost (127.0.0.1) port 3101 (#0)
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0> GET /plaintext HTTP/1.1
> Host: localhost:3101
> User-Agent: curl/7.73.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< server: thruster
< access-control-allow-origin: https://bridge.mydomain.com
< access-control-allow-headers: *
< access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS
< access-control-allow-credentials: true
< content-length: 2218
< date: Fri, 25 Mar 2022 22:30:40 GMT
<
{ [2218 bytes data]
100 2218 100 2218 0 0 9728 0 --:--:-- --:--:-- --:--:-- 9728<!doctype html>
<html>
<head>
<title>Socket.IO chat</title>
<style>
* { margin: 0; padding: 0; box-sizing: border-box; }
body { font: 13px Helvetica, Arial; }
...
That looks correct to me, the initial page load should work, but any calls made by the page at localhost should fail. Are you seeing a fetch request on the page go through successfully as well?
On Fri, Mar 25, 2022, 6:41 PM Gordon @.***> wrote:
I set the allow-origin to "https://bridge.mydomain.com", so if someone access from other domain, the access will be refused, is this correct? But I found that still can access this domain from other domains.
The curl response as follows:
$ curl -v http://localhost:3101/plaintext % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying ::1:3101...
- Trying 127.0.0.1:3101...
- Connected to localhost (127.0.0.1) port 3101 (#0) 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0> GET /plaintext HTTP/1.1
Host: localhost:3101 User-Agent: curl/7.73.0 Accept: /
- Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < server: thruster < access-control-allow-origin: https://bridge.mydomain.com < access-control-allow-headers: * < access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS < access-control-allow-credentials: true < content-length: 2218 < date: Fri, 25 Mar 2022 22:30:40 GMT < { [2218 bytes data] 100 2218 100 2218 0 0 9728 0 --:--:-- --:--:-- --:--:-- 9728<!doctype html>
Socket.IO chat
Hi @trezm I run a thruster-socketio server, need to set some special domains, but I didn't find any examples to show how to set CORS. May I know how to set CORS with Thruster?
Thanks a lot.