CORS layer does not seem to be functioning as of 0.5 in conjunction with axum 0.7

[rellingson-dev]

• [X] I have looked for existing issues (including closed) about this

Bug Report

Version

0.5

Platform

x86_64 x86_64 x86_64 GNU/Linux

Crates

tower-http-cors

Description

I have recently updated my application from using axum 0.6 to 0.7 which required me to update tower-http to 0.5 from 0.1. After this upgrade, our CORS layer no longer returned 401 unauthorized errors when getting bad requests. We have allowed methods set to GET and POST and we use a predicate for our allowed origins. I tested both by simplifying the code to just allow POST and to only allow a single origin, but sending GET requests and requests with an invalid origin still returned 200s.

[jplatte]

This is intended behavior. The CORS layer will mirror back the origin in the access-control-allow-origin response header if it matches your predicate, and omit that header if it doesn't. The browser should then act accordingly (e.g. blocking a subsequent request that would otherwise happen after preflight), irrelevant of the status code.