bug: make CORS default less restrictive. (#348)

Fixes: Sync-3608
mozilla-services · Apr 27, 2023 · d421e8d · d421e8d
1 parent f90fc06
commit d421e8d
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/autoendpoint/src/server.rs b/autoendpoint/src/server.rs
@@ -111,6 +111,17 @@ impl Server {
         };
 
         let server = HttpServer::new(move || {
+            // These have a bad habit of being reset. Specify them explicitly.
+            let cors = Cors::default()
+                .allow_any_origin()
+                .allow_any_header()
+                .allowed_methods(vec![
+                    actix_web::http::Method::DELETE,
+                    actix_web::http::Method::GET,
+                    actix_web::http::Method::POST,
+                    actix_web::http::Method::PUT,
+                ])
+                .max_age(3600);
             App::new()
                 // Actix 4 recommends wrapping structures wtih web::Data (internally an Arc)
                 .app_data(Data::new(app_state.clone()))
@@ -124,7 +135,7 @@ impl Server {
                     metrics.clone(),
                     "api_error".to_owned(),
                 ))
-                .wrap(Cors::default())
+                .wrap(cors)
                 // Endpoints
                 .service(
                     web::resource(["/wpush/{api_version}/{token}", "/wpush/{token}"])