| 120 | } |
| 121 | |
| 122 | pub fn append_cors_headers( |
| 123 | config: &Config, |
| 124 | request_headers: &HeaderMap, |
| 125 | response_headers: &mut HeaderMap, |
| 126 | ) { |
| 127 | let Some(origin) = request_headers |
| 128 | .get(header::ORIGIN) |
| 129 | .and_then(|value| value.to_str().ok()) |
| 130 | else { |
| 131 | return; |
| 132 | }; |
| 133 | |
| 134 | if !origin_is_cors_allowed(config, origin) { |
| 135 | return; |
| 136 | } |
| 137 | |
| 138 | if let Ok(value) = HeaderValue::from_str(origin) { |
| 139 | response_headers.insert(header::ACCESS_CONTROL_ALLOW_ORIGIN, value); |
| 140 | } |
| 141 | response_headers.insert( |
| 142 | header::ACCESS_CONTROL_ALLOW_METHODS, |
| 143 | HeaderValue::from_static("GET, POST, OPTIONS"), |
| 144 | ); |
| 145 | response_headers.insert( |
| 146 | header::ACCESS_CONTROL_ALLOW_HEADERS, |
| 147 | HeaderValue::from_static( |
| 148 | "content-type, authorization, x-simdeck-token, x-simdeck-filename", |
| 149 | ), |
| 150 | ); |
| 151 | response_headers.insert( |
| 152 | header::ACCESS_CONTROL_ALLOW_CREDENTIALS, |
| 153 | HeaderValue::from_static("true"), |
| 154 | ); |
| 155 | response_headers.insert(header::VARY, HeaderValue::from_static("Origin")); |
| 156 | |
| 157 | // Chrome's Private Network Access (CORS-RFC1918): a public-internet origin |
| 158 | // (e.g. https://app.simdeck.sh) calling a loopback/private target must see |
| 159 | // this header on the preflight when the request advertises support. |
| 160 | if request_headers |
| 161 | .get("access-control-request-private-network") |
| 162 | .and_then(|value| value.to_str().ok()) |
| 163 | .map(|value| value.eq_ignore_ascii_case("true")) |
| 164 | .unwrap_or(false) |
| 165 | { |
| 166 | response_headers.insert( |
| 167 | HeaderName::from_static("access-control-allow-private-network"), |
| 168 | HeaderValue::from_static("true"), |
| 169 | ); |
| 170 | } |
| 171 | } |
| 172 | |
| 173 | pub fn append_access_cookie(response_headers: &mut HeaderMap, token: &str) { |
| 174 | if let Ok(value) = HeaderValue::from_str(&access_cookie_value(token)) { |