Fix CORS behaviour if there is no origin header

The CORS origin header handling fell back to an empty header value. This
value is considered valid for `Origin::Any` (wildcard origin). However,
if the CORS middleware is restricted to a whitelist of origins, the
`is_valid_origin` check correctly fails for an empty origin header
value. Though, since we fell back to an empty value when there is no
origin header at all, we fail the validation and consequentially respond
with a 403 (forbidden) to such requests.

The CORS specifications stats the following for simple cross-origin
requests, actual requests and preflight requests:

> If the Origin header is not present terminate this set of steps. The
> request is outside the scope of this specification.

This commit therefore updates the CORS middleware to ignore requests
that have no origin header set.

Author: rkusa

src/middleware/cors.rs

@@ -149,13 +149,16 @@ impl Cors {
 impl<State: Send + Sync + 'static> Middleware<State> for Cors {
     fn handle<'a>(&'a self, req: Request<State>, next: Next<'a, State>) -> BoxFuture<'a, Response> {
         Box::pin(async move {
-            let origins = req
-                .header(&headers::ORIGIN)
-                .cloned()
-                .unwrap_or_else(|| vec!["".parse::<HeaderValue>().unwrap()]);
+            let origins = req.header(&headers::ORIGIN).cloned().unwrap_or_default();
 
             // TODO: how should multiple origin values be handled?
-            let origin = &origins[0];
+            let origin = match origins.first() {
+                Some(origin) => origin,
+                None => {
+                    // This is not a CORS request if there is no Origin header
+                    return next.run(req).await;
+                }
+            };
 
             if !self.is_valid_origin(origin) {
                 return http_types::Response::new(StatusCode::Unauthorized).into();
@@ -395,7 +398,7 @@ mod test {
     #[test]
     fn not_set_origin_header() {
         let mut app = app();
-        app.middleware(Cors::new());
+        app.middleware(Cors::new().allow_origin(ALLOW_ORIGIN));
 
         let request = http_types::Request::new(http_types::Method::Get, endpoint_url());