pub fn cors_layer(cfg: &CorsConfig) -> CorsLayerExpand description
Build the CORS layer for the gateway router.
- Empty allowlist (
cfg.allowed_origins.is_empty()) → returnsCorsLayer::new(), which sets noAccess-Control-Allow-Originheader and therefore rejects every cross-origin request. This is the safe default for fresh installs — operators opt in by settingTENSOR_WASM_API_CORS_ALLOWED_ORIGINS. - Non-empty allowlist → returns a layer that admits exactly those
origins (parsed back into
HeaderValues; unparseable entries are silently dropped — they were already rejected at startup by the bearer-auth allowlist parser’s stricter sibling and would never match a real browserOriginheader anyway).
The allowed methods (GET, POST, DELETE) and headers
(Authorization, Content-Type, X-TensorWasm-Tenant, Traceparent)
match the API’s wire surface — see API.md.