Empty origin header doesn't work

Question

Empty origin header doesn't work

adimarco opened this issue 7 years ago · comments

After pulling my hair out a bit trying to get rocket_cors working with my existing rocket code, I tried checking out the git repo and running cargo run --example fairing and got the same results.

No headers are ever added. curl output for the fairing example nets me:

$ curl -v localhost:8000/
* Hostname was NOT found in DNS cache
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8000 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: localhost:8000
> Accept: */*
> 
< HTTP/1.1 200 OK
< Content-Type: text/plain; charset=utf-8
* Server Rocket is not blacklisted
< Server: Rocket
< Content-Length: 10
< Date: Fri, 21 Jul 2017 15:00:32 GMT
< 
* Connection #0 to host localhost left intact
Hello CORS

I'm running the latest nightly rust available from rustup:

$ rustup update nightly
info: syncing channel updates for 'nightly-x86_64-unknown-linux-gnu'

  nightly-x86_64-unknown-linux-gnu unchanged - rustc 1.20.0-nightly (ae98ebfcb 2017-07-20)

$ rustc --version
rustc 1.20.0-nightly (ae98ebfcb 2017-07-20)

Console output from the running example is:

 $ cargo run --example fairing
    Finished dev [unoptimized + debuginfo] target(s) in 0.0 secs
     Running `target/debug/examples/fairing`
🔧  Configured for development.
    => address: localhost
    => port: 8000
    => log: normal
    => workers: 16
    => secret key: generated
    => limits: forms = 32KiB
    => tls: disabled
🛰  Mounting '/':
    => GET /
🛰  Mounting '/cors':
    => GET /cors/<status>
📡  Fairings:
    => 0 launch: 
    => 1 request: CORS
    => 1 response: CORS
🚀  Rocket has launched from http://localhost:8000

Am I missing something? This is exactly the same thing that happens when I try to integrate it with my existing rocket app (nothing at all).

Anthony DiMarco · Answer 1 · Fri Jul 21 2017 23:43:28 GMT+0800 (China Standard Time)

This seems to be due to the lack of an "Origin" header in my curl request. When I set an Origin header it works.

According to Mozilla, the "Origin" header can be blank - https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Origin though it appears that's not currently supported as rocket_cors is written. (I tried the curl with an -H "Origin: " to send it the empty string)

Yong Wen Chua · Answer 2 · Sun Jul 23 2017 17:09:11 GMT+0800 (China Standard Time)

The header can be blank, but there is no value in handling a blank origin. Your browser will always send the Origin header when making a request to something from a different origin. Tools like curl do not have this behaviour and your routes will work just fine without the header. See https://www.w3.org/TR/cors/#resource-processing-model

Yong Wen Chua · Answer 3 · Mon Jul 24 2017 15:56:41 GMT+0800 (China Standard Time)

You can test with the following example:

#![feature(plugin)]
#![plugin(rocket_codegen)]
extern crate rocket;
extern crate rocket_cors;

use rocket::http::Method;
use rocket_cors::{AllowedOrigins, AllowedHeaders};

#[get("/")]
fn get<'a>() -> &'a str {
    "Hello CORS"
}

#[put("/")]
fn put<'a>() -> &'a str {
    "Hello CORS"
}

#[post("/")]
fn post<'a>() -> &'a str {
    "Hello CORS"
}

#[delete("/")]
fn delete<'a>() -> &'a str {
    "Hello CORS"
}

fn main() {
    let (allowed_origins, failed_origins) = AllowedOrigins::some(&["http://www.test-cors.org"]);
    assert!(failed_origins.is_empty());

    // You can also deserialize this
    let options = rocket_cors::Cors {
        allowed_origins: allowed_origins,
        allowed_methods: vec![Method::Get, Method::Put, Method::Post, Method::Delete]
            .into_iter()
            .map(From::from)
            .collect(),
        allowed_headers: AllowedHeaders::some(&["Authorization", "Accept"]),
        allow_credentials: true,
        ..Default::default()
    };

    rocket::ignite()
        .mount("/", routes![get, put, post, delete])
        .attach(options)
        .launch();
}

From the test-cors.org website. For example, to test PUT:

     Running `target/debug/examples/test-cors`
🔧  Configured for development.
    => address: localhost
    => port: 8000
    => log: normal
    => workers: 8
    => secret key: generated
    => limits: forms = 32KiB
    => tls: disabled
🛰  Mounting '/':
    => GET /
    => PUT /
    => POST /
    => DELETE /
🛰  Mounting '/cors':
    => GET /cors/<status>
📡  Fairings:
    => 0 launch: 
    => 1 request: CORS
    => 1 response: CORS
🚀  Rocket has launched from http://localhost:8000
OPTIONS /:
    => Error: No matching routes for OPTIONS /.
    => Warning: Responding with 404 Not Found catcher.
    => CORS Fairing: Turned missing route OPTIONS / into an OPTIONS pre-flight request
    => Response succeeded.
PUT /:
    => Matched: PUT /
    => Outcome: Success
    => Response succeeded.

Yong Wen Chua · Answer 4 · Fri Jan 05 2018 10:48:04 GMT+0800 (China Standard Time)

@adimarco: I am assuming that you have no further issue with this. Please reopen or raise a new issue if something new arises.

Arignir · Answer 5 · Wed Jan 23 2019 20:38:45 GMT+0800 (China Standard Time)

I got brained by this issue the first time I tried rocket_cors, and adimarco and I probably aren't the only one. Took me quite a lot of googling to find out the missing Origin was the key.

Handling no/default Origin would be great to make rocket_cors easier to understand, and help them understand they aren't doing anything wrong when they try the crate for the first time.

Yong Wen Chua · Answer 6 · Wed Jan 23 2019 20:42:10 GMT+0800 (China Standard Time)

Do you mean you would like the crate to inject the CORS response headers even when the browser does not include any CORS related request headers?