Struct CorsPolicy 

pub struct CorsPolicy { /* private fields */ }

A compiled CORS policy. Built once from CorsCfg; the string header values are precomputed so the request path only does cheap lookups and inserts.

Implementations

impl CorsPolicy

pub fn build(cfg: &CorsCfg) -> Result<Option<CorsPolicy>>

Compile the policy, or Ok(None) when CORS is disabled. Fails fast on an incoherent policy (credentialed wildcard, enabled-but-no-origins, bad max_age) so the mistake surfaces at startup/reload like any other bad config — not as silently-missing CORS headers at request time.

pub fn preflight_response(&self, headers: &HeaderMap) -> Option<Response<Body>>

If headers describe a CORS preflight (an OPTIONS with Origin + Access-Control-Request-Method), build the 204 response to answer it with. Returns None when it isn’t a preflight, so the caller falls through to normal handling. When the origin isn’t allowed we still return a 204, just without the CORS headers — the browser then refuses the cross-origin call.

The caller must only invoke this for OPTIONS requests; the Access-Control-Request-Method presence check distinguishes a real preflight from a plain OPTIONS.

pub fn decorate(&self, req_headers: &HeaderMap, resp: &mut Response<Body>)

Add the CORS headers to an actual (non-preflight) response, based on the request’s Origin. A no-op when the request has no Origin (not a cross-origin browser request) or the origin isn’t allowed.

pub fn decorate_origin(&self, origin: &str, resp: &mut Response<Body>)

Like decorate, but given the request Origin directly. A no-op when the origin isn’t allowed. Idempotent, so it’s safe to call on a response that may already carry CORS headers (e.g. a preflight). Used to decorate every response — including EdgeGuard-generated 401/403/429 — so an allowed browser origin sees the real status rather than a generic CORS failure.