Struct actix_cors::Cors

pub struct Cors { /* fields omitted */ }

Builder for CorsFactory middleware.

To construct a CorsFactory:

1. Call Cors::new() to start building.
2. Use any of the builder methods to customize CORS behavior.
3. Call finish() to retrieve the middleware.

Example

use actix_cors::Cors;
use actix_web::http::header;

let cors = Cors::new()
    .allowed_origin("https://www.rust-lang.org")
    .allowed_methods(vec!["GET", "POST"])
    .allowed_headers(vec![header::AUTHORIZATION, header::ACCEPT])
    .allowed_header(header::CONTENT_TYPE)
    .max_age(3600);

Implementations

impl Cors

pub fn new() -> Cors

Return a new builder.

pub fn default() -> CorsFactory

Build a CORS middleware with default settings.

pub fn allowed_origin(self, origin: &str) -> Cors

Add an origin that is allowed to make requests.

By default, requests from all origins are accepted by CORS logic. This method allows to specify a finite set of origins to verify the value of the Origin request header.

This is the list of origins in the Resource Processing Model.

When this list is set, the client's Origin request header will be checked in a case-sensitive manner.

When all origins are allowed and send_wildcard is set, "*" will be sent in the Access-Control-Allow-Origin response header. If send_wildcard is not set, the client's Origin request header will be echoed back in the Access-Control-Allow-Origin response header.

If the origin of the request doesn't match any allowed origins and at least one allowed_origin_fn function is set, these functions will be used to determinate allowed origins.

Builder panics if supplied origin is not valid uri.

pub fn allowed_origin_fn(self, f: fn(req: &RequestHead) -> bool) -> Cors

Determinate allowed origins by processing requests which didn't match any origins specified in the allowed_origin.

The function will receive a RequestHead of each request, which can be used to determine whether it should be allowed or not.

If the function returns true, the client's Origin request header will be echoed back into the Access-Control-Allow-Origin response header.

pub fn allowed_methods<U, M>(self, methods: U) -> Cors where
    U: IntoIterator<Item = M>,
    M: TryInto<Method>,
    <M as TryInto<Method>>::Error: Into<HttpError>, 

Set a list of methods which allowed origins can perform.

This is the list of methods in the Resource Processing Model.

Defaults to [GET, HEAD, POST, OPTIONS, PUT, PATCH, DELETE]

pub fn allowed_header<H>(self, header: H) -> Cors where
    H: TryInto<HeaderName>,
    <H as TryInto<HeaderName>>::Error: Into<HttpError>, 

Set an allowed header.

pub fn allowed_headers<U, H>(self, headers: U) -> Cors where
    U: IntoIterator<Item = H>,
    H: TryInto<HeaderName>,
    <H as TryInto<HeaderName>>::Error: Into<HttpError>, 

Set a list of header field names which can be used when this resource is accessed by allowed origins.

If All is set, whatever is requested by the client in Access-Control-Request-Headers will be echoed back in the Access-Control-Allow-Headers header.

This is the list of headers in the Resource Processing Model.

Defaults to All.

pub fn expose_headers<U, H>(self, headers: U) -> Cors where
    U: IntoIterator<Item = H>,
    H: TryInto<HeaderName>,
    <H as TryInto<HeaderName>>::Error: Into<HttpError>, 

Set a list of headers which are safe to expose to the API of a CORS API specification. This corresponds to the Access-Control-Expose-Headers response header.

This is the list of exposed headers in the Resource Processing Model.

This defaults to an empty set.

pub fn max_age(self, max_age: usize) -> Cors

Set a maximum time for which this CORS request maybe cached. This value is set as the Access-Control-Max-Age header.

This defaults to None (unset).

pub fn send_wildcard(self) -> Cors

Set a wildcard origins

If send wildcard is set and the allowed_origins parameter is All, a wildcard Access-Control-Allow-Origin response header is sent, rather than the request’s Origin header.

This is the supports credentials flag in the Resource Processing Model.

This CANNOT be used in conjunction with allowed_origins set to All and allow_credentials set to true. Depending on the mode of usage, this will either result in an Error:: CredentialsWithWildcardOrigin error during actix launch or runtime.

Defaults to false.

pub fn supports_credentials(self) -> Cors

Allows users to make authenticated requests

If true, injects the Access-Control-Allow-Credentials header in responses. This allows cookies and credentials to be submitted across domains.

This option cannot be used in conjunction with an allowed_origin set to All and send_wildcards set to true.

Defaults to false.

Builder panics if credentials are allowed, but the Origin is set to "*". This is not allowed by W3C

pub fn disable_vary_header(self) -> Cors

Disable Vary header support.

When enabled the header Vary: Origin will be returned as per the W3 implementation guidelines.

Setting this header when the Access-Control-Allow-Origin is dynamically generated (e.g. when there is more than one allowed origin, and an Origin than '*' is returned) informs CDNs and other caches that the CORS headers are dynamic, and cannot be cached.

By default vary header support is enabled.

pub fn disable_preflight(self) -> Cors

Disable support for preflight requests.

When enabled CORS middleware automatically handles OPTIONS requests. This is useful for application level middleware.

By default preflight support is enabled.

pub fn finish(self) -> CorsFactory

Construct CORS middleware.

Trait Implementations

impl Debug for Cors

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for Cors

fn default() -> Cors

Returns the "default value" for a type.