secure_boundary 0.1.3

Input validation, request limits, CORS, Fetch Metadata, and browser boundary protections.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

//! Allowlist-based Content-Type checking.

use mime::Mime;

/// Checks whether a `Content-Type` header value is in the provided allowlist.
///
/// # Errors
/// - `"content_type_missing"` — the header value was absent.
/// - `"content_type_invalid"` — the header value could not be parsed as a MIME type.
/// - `"content_type_not_allowed"` — the MIME type is not present in `allowlist`.
pub fn check_content_type(
    content_type: Option<&str>,
    allowlist: &[&str],
) -> Result<(), &'static str> {
    let ct = content_type.ok_or("content_type_missing")?;
    let mime: Mime = ct.parse().map_err(|_| "content_type_invalid")?;
    let essence = format!("{}/{}", mime.type_(), mime.subtype());
    if allowlist.iter().any(|allowed| *allowed == essence) {
        Ok(())
    } else {
        Err("content_type_not_allowed")
    }
}