From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Fri, 1 Apr 2022 21:57:21 +0000 (+0100)
Subject: actix: Fix CORS
X-Git-Tag: otter-1.0.0~17
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=2e023ecc04c4f7d1ad30e535ad2d983df506d066;p=otter.git

actix: Fix CORS

The docs aren't entirely clear but suggest that the default allowed
origins is All.  But dbg! output seems to contradict this.  And we
should support more headers, and say that we don't vary our CORS at
all.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---

diff --git a/daemon/main.rs b/daemon/main.rs
index 6e2a9573..d6d62467 100644
--- a/daemon/main.rs
+++ b/daemon/main.rs
@@ -280,9 +280,10 @@ impl<'r> FromFormValue<'r> for BundleToken {
 */
 
 fn updates_cors() -> Cors {
-
   Cors::default()
-      .allowed_methods([Method::GET])
+    .allow_any_origin()
+    .allowed_methods([Method::GET, Method::OPTIONS, Method::HEAD])
+    .disable_vary_header()
 }
 
 #[derive(Debug, Deserialize)]