Module cors

Expand description

CORS policy primitive (Sprint 7 §6.2, ADR-057).

Transport-agnostic CORS rules. Consumers (actix-web, axum) call CorsPolicy::preflight_headers from their OPTIONS handler and CorsPolicy::response_headers from the normal-response path; this crate never mounts routes itself.

Allowed origins. Either AllowedOrigins::Wildcard (any origin) or AllowedOrigins::Exact (explicit allowlist). An unlisted origin yields None from the preflight path — the caller MUST emit a no-CORS response (typically 403 or the un-augmented 200).
Credentials + wildcard. Per the Fetch spec, Access-Control- Allow-Origin: * is invalid when credentials are included. When both are configured, the policy degrades to echoing the concrete request origin and emits Vary: Origin so caches do not leak.
Exposed headers. Default set targets Solid interop (WAC-Allow, Link, ETag, Accept-Patch, Accept-Post, Updates-Via). Operators override via CorsPolicy::with_expose_headers.
Preflight advertising. Access-Control-Allow-Headers echoes the Access-Control-Request-Headers value verbatim (after whitespace normalisation), matching JSS behaviour — consumers need not maintain an allowlist of request headers.

Structs§

DEFAULT_EXPOSE_HEADERS: Default headers exposed to the browser — tuned for Solid / LDP interoperability.
DEFAULT_MAX_AGE_SECS: Default Max-Age for preflight caching.
ENV_CORS_ALLOWED_ORIGINS: Environment variable: comma-separated list of allowed origins, or * for wildcard.
ENV_CORS_ALLOW_CREDENTIALS: Environment variable: true/1 to enable credentials.
ENV_CORS_MAX_AGE: Environment variable: preflight max-age in seconds.