Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(ws server): support
*
in host and origin filtering #781fix(ws server): support
*
in host and origin filtering #781Changes from 9 commits
a68905b
98b397a
b42ff53
00820d3
04a34f9
17b355b
da017c2
ea3b92d
78fabfa
d0cd8e5
59f30c9
5df48c8
dc1fb5c
af9cecc
094976b
d5357c1
2af268f
8991d4b
060badb
c9cff4c
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the ordering of the params here considered a breaking change? Is there any reason for this other than cleaner order.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't care about the breaking changes, the next will anyway be breaking.
The rationale is to avoid having "the type same" as two consecutive parameters such as
fn foo(x: Option<&str>, y: Option<&str>, z: Option<Vec<B>>)
because it's error prone and easy confuse the parameters.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm struggling to understand
ALWAYS_ALLOWED_HEADERS
; I think that we allow any headers specified in AllowHeaders plus any inALWAYS_ALLOWED_HEADERS
.I guess we have this list so that if the user doesn't allow any headers themselves via the access control stuff, standard requests will still work?
Some headers are also not completely black and white as to whether they are accepted or not. Eg with CORS, we'll always need to return "Content-Type" in the "Access-Control-Allowed-Headers" response, because otherwise I think the user couldn't set that to "application/json" without CORS disallowing it (see https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_request_header#additional_restrictions).
Also there is an
Access-Control-Allow-Origin
header in the list, which is what the server would respond with, so perhaps this doesn't need to be there?Also a client can send an
Access-Control-Request-Method
header in a preflight request, and so perhaps that should be there?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, you are correct.
the following check is performed on each header;
allow_headers.contains(header) || ALLOWED_ALLOWED_HEADERS.contains(header)
Yes, I have not written this myself so I don't know details but I guess so.
Yes, that sounds wrong. Nice catch but nothing really I had in mind to touch in this PR :)
That is handled is separately which is passed separately into this function. I renamed it to
cors_request_headers
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, so your suggestion is to only whitelist
Accept
,Accept-Language
,Content-Type
,Content-Language
andAccess-Control-Request-Headers
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the rest needs a CORS request I assume?