Lack of handling for CORS/OPTIONS

[LLBlumire]

In order for a server to provide an external API it needs to be able to deal with Cross Origin Resource Sharing. These are done by web browsers sending a preflight OPTIONS request asking what resources it is allowed to access on the server, then after being given a resonse containing certain information in it's header a browser will send the actual GET/PUT/POST/etc query to the server, with no response it will not do this and cause Cross Site Scripting errors to be reported.

There are two obvious ways this can be handled, the first and simplest is to add an "OPTIONS" annotation of the same ilk as the existing HTTP Methods, this will allow users of Rocket to manually implement the correct preflight request handling for api endpoints that need to provide CORS.

The other is to provide some form of automatic CORS handling, this can be seen in a number of other libraries used for web server development (outside the realm of rust) such as spring.io (http://docs.spring.io/spring/docs/current/spring-framework-reference/html/cors.html) or flasks (https://pypi.python.org/pypi/Flask-Cors).

W3 Specification on CORS: https://www.w3.org/TR/cors/

[fabricedesre]

Having a "native" built in support would be better. We did something for iron, which was quite simple (https://github.com/fxbox/iron-cors/).

[kybishop]

Info a little more readable than the w3 spec 😉: http://enable-cors.org/server.html

[SergioBenitez]

I agree that Rocket should have a nicer way to handle this, and it's on my list of things to determine how to do better. For now, I've added the ability to use #[route(OPTIONS, "/", ...)] to manually handle OPTIONS requests in 2de006d. As soon as #83 is resolved, you'll be able to use options as a decorator directly.

[flosse]

I'd love to see a full CORS example :) Did someone already made experiences?

[sebasmagri]

This is what I'm currently doing to handle the preflight request:

#[route(OPTIONS, "/endpoint/")]
fn options_handler<'a>() -> Response<'a> {
    Response::build()
        .raw_header("Access-Control-Allow-Origin", "http://host.tld")
        .raw_header("Access-Control-Allow-Methods", "OPTIONS, POST")
        .raw_header("Access-Control-Allow-Headers", "Content-Type")
        .finalize()
}

However, for a handler returning data, I can't still find a way to wrap the existing response in a Response to add the headers. The existing handler looks like this:

#[post("/endpoint/", format = "application/json", data = "<config>")]
fn post_handler(config: JSON<Config>) -> Option<JSON<Wrapper>> {
    let wrapper = factory(report_id);
    match wrapper {
        Some(f) => Some(JSON(f(&(config.unwrap())))),
        None => None
    }
}

Is this a correct approach? How could I add headers to the JSON response?

[kybishop]

@sebasmagri JSON impliments the Responder trait. Something like this should work:

#[post("/endpoint/", format = "application/json", data = "<config>")]
fn post_handler<'request>(config: JSON<Config>)
                          -> Option<Result<Response<'request>, &'str>> {
    let wrapper = factory(report_id);
    match wrapper {
        Some(f) => {
            let response = Response::build_from(JSON(f(&(config.unwrap()))).respond().unwrap());

            response.header(hyper::header::AccessControlAllowOrigin::Any)

            Some(response.ok())
        },
        None => None
    }
}

[SergioBenitez]

@kybishop's got the right idea, but you should rarely, if ever, be constructing a Response object in your handler. Instead, create a new type and implement Responder for it. You can then return it directly from your handler. See the wrapping Responder section of the guide for more info.

For this problem in particular, I would create a new CORS type and implement Responder for it. I implemented a small one, and I copy the code below. It's incomplete, inefficient, and could be made less error-prone, but it works, and using it is clean.

use std::collections::HashSet;
use rocket::response::{self, Response, Responder};
use rocket::http::Method;

struct CORS<R> {
    responder: R,
    allow_origin: &'static str,
    expose_headers: HashSet<&'static str>,
    allow_credentials: bool,
    allow_headers: HashSet<&'static str>,
    allow_methods: HashSet<Method>,
    max_age: Option<usize>
}

type PreflightCORS = CORS<()>;

impl PreflightCORS {
    pub fn preflight(origin: &'static str) -> PreflightCORS {
        CORS::origin((), origin)
    }
}

impl<'r, R: Responder<'r>> CORS<R> {
    pub fn origin(responder: R, origin: &'static str) -> CORS<R> {
        CORS {
            responder: responder,
            allow_origin: origin,
            expose_headers: HashSet::new(),
            allow_credentials: false,
            allow_headers: HashSet::new(),
            allow_methods: HashSet::new(),
            max_age: None
        }
    }

    pub fn any(responder: R) -> CORS<R> {
        CORS::origin(responder, "*")
    }

    pub fn credentials(mut self, value: bool) -> CORS<R> {
        self.allow_credentials = value;
        self
    }

    pub fn methods(mut self, methods: Vec<Method>) -> CORS<R> {
        for method in methods {
            self.allow_methods.insert(method);
        }

        self
    }

    pub fn headers(mut self, headers: Vec<&'static str>) -> CORS<R> {
        for header in headers {
            self.allow_headers.insert(header);
        }

        self
    }

    // TODO: Add more builder methods to set the rest of the fields.
}

impl<'r, R: Responder<'r>> Responder<'r> for CORS<R> {
    fn respond(self) -> response::Result<'r> {
        let mut response = Response::build_from(self.responder.respond()?)
            .raw_header("Access-Control-Allow-Origin", self.allow_origin)
            .finalize();

        match self.allow_credentials {
            true => response.set_raw_header("Access-Control-Allow-Credentials", "true"),
            false => response.set_raw_header("Access-Control-Allow-Credentials", "false")
        };

        if !self.allow_methods.is_empty() {
            let mut methods = String::with_capacity(self.allow_methods.len() * 7);
            for (i, method) in self.allow_methods.iter().enumerate() {
                if i != 0 { methods.push_str(", ") }
                methods.push_str(method.as_str());
            }

            response.set_raw_header("Access-Control-Allow-Methods", methods);
        }

        // FIXME: Get rid of this dupe.
        if !self.allow_headers.is_empty() {
            let mut headers = String::with_capacity(self.allow_headers.len() * 15);
            for (i, header) in self.allow_headers.iter().enumerate() {
                if i != 0 { headers.push_str(", ") }
                headers.push_str(header);
            }

            response.set_raw_header("Access-Control-Allow-Headers", headers);
        }

        // TODO: Inspect and set the rest of the fields.

        Ok(response)
    }

}

You would then use it in routes like:

#[route(OPTIONS, "/item")]
fn cors_preflight() -> PreflightCORS {
    CORS::preflight("http://host.tld")
        .methods(vec![Method::Options, Method::Post])
        .headers(vec!["Content-Type"])
}

#[post("/item")]
fn cors_demo() -> CORS<&'static str> {
    CORS::any("This is the response.")
}

In the particular POST route above, you could do:

#[post("/item")]
fn cors_demo() -> CORS<Option<JSON<Wrapper>>> {
    CORS::any(option_json_wrapper)
}

[sebasmagri]

I believe having this type into the framework would be really good. Thanks @SergioBenitez

[rofrol]

Regarding the code from #25 (comment), I have found this:

The only valid value for this header is true (case-sensitive). If you don't need credentials, omit this header entirely (rather than setting its value to false).

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials

[SergioBenitez]

Now that #55 has landed, we can add proper support for CORS to Rocket! I'm happy to field any design ideas and/or mentor anyone who might be willing to implement some CORS related fairings and structures for contrib.