Allow specifying extra cors headers for dapps (#4710)

dapps/src/api/api.rs

@@ -39,7 +39,11 @@ pub struct RestApi {
 impl RestApi {
 	pub fn new(cors_domains: Vec<String>, endpoints: Arc<Endpoints>, fetcher: Arc<Fetcher>) -> Box<Endpoint> {
 		Box::new(RestApi {
-			cors_domains: Some(cors_domains.into_iter().map(AccessControlAllowOrigin::Value).collect()),
+			cors_domains: Some(cors_domains.into_iter().map(|domain| match domain.as_ref() {
+				"all" | "*" | "any" => AccessControlAllowOrigin::Any,
+				"null" => AccessControlAllowOrigin::Null,
+				other => AccessControlAllowOrigin::Value(other.into()),
+			}).collect()),
 			endpoints: endpoints,
 			fetcher: fetcher,
 		})

dapps/src/lib.rs

@@ -111,6 +111,7 @@ pub struct ServerBuilder<T: Fetch = FetchClient> {
 	web_proxy_tokens: Arc<WebProxyTokens>,
 	signer_address: Option<(String, u16)>,
 	allowed_hosts: Option<Vec<String>>,
+	extra_cors: Option<Vec<String>>,
 	remote: Remote,
 	fetch: Option<T>,
 }
@@ -126,6 +127,7 @@ impl ServerBuilder {
 			web_proxy_tokens: Arc::new(|_| false),
 			signer_address: None,
 			allowed_hosts: Some(vec![]),
+			extra_cors: None,
 			remote: remote,
 			fetch: None,
 		}
@@ -143,6 +145,7 @@ impl<T: Fetch> ServerBuilder<T> {
 			web_proxy_tokens: self.web_proxy_tokens,
 			signer_address: self.signer_address,
 			allowed_hosts: self.allowed_hosts,
+			extra_cors: self.extra_cors,
 			remote: self.remote,
 			fetch: Some(fetch),
 		}
@@ -174,6 +177,13 @@ impl<T: Fetch> ServerBuilder<T> {
 		self
 	}
 
+	/// Extra cors headers.
+	/// `None` - no additional CORS URLs
+	pub fn extra_cors_headers(mut self, cors: Option<Vec<String>>) -> Self {
+		self.extra_cors = cors;
+		self
+	}
+
 	/// Change extra dapps paths (apart from `dapps_path`)
 	pub fn extra_dapps<P: AsRef<Path>>(mut self, extra_dapps: &[P]) -> Self {
 		self.extra_dapps = extra_dapps.iter().map(|p| p.as_ref().to_owned()).collect();
@@ -187,6 +197,7 @@ impl<T: Fetch> ServerBuilder<T> {
 		Server::start_http(
 			addr,
 			self.allowed_hosts,
+			self.extra_cors,
 			NoAuth,
 			handler,
 			self.dapps_path,
@@ -207,6 +218,7 @@ impl<T: Fetch> ServerBuilder<T> {
 		Server::start_http(
 			addr,
 			self.allowed_hosts,
+			self.extra_cors,
 			HttpBasicAuth::single_user(username, password),
 			handler,
 			self.dapps_path,
@@ -251,8 +263,8 @@ impl Server {
 	}
 
 	/// Returns a list of CORS domains for API endpoint.
-	fn cors_domains(signer_address: Option<(String, u16)>) -> Vec<String> {
-		match signer_address {
+	fn cors_domains(signer_address: Option<(String, u16)>, extra_cors: Option<Vec<String>>) -> Vec<String> {
+		let basic_cors = match signer_address {
 			Some(signer_address) => vec![
 				format!("http://{}{}", HOME_PAGE, DAPPS_DOMAIN),
 				format!("http://{}{}:{}", HOME_PAGE, DAPPS_DOMAIN, signer_address.1),
@@ -260,15 +272,20 @@ impl Server {
 				format!("https://{}{}", HOME_PAGE, DAPPS_DOMAIN),
 				format!("https://{}{}:{}", HOME_PAGE, DAPPS_DOMAIN, signer_address.1),
 				format!("https://{}", address(&signer_address)),
-
 			],
 			None => vec![],
+		};
+
+		match extra_cors {
+			None => basic_cors,
+			Some(extra_cors) => basic_cors.into_iter().chain(extra_cors).collect(),
 		}
 	}
 
 	fn start_http<A: Authorization + 'static, F: Fetch, T: Middleware<Metadata>>(
 		addr: &SocketAddr,
 		hosts: Option<Vec<String>>,
+		extra_cors: Option<Vec<String>>,
 		authorization: A,
 		handler: RpcHandler<Metadata, T>,
 		dapps_path: PathBuf,
@@ -297,7 +314,7 @@ impl Server {
 			remote.clone(),
 			fetch.clone(),
 		));
-		let cors_domains = Self::cors_domains(signer_address.clone());
+		let cors_domains = Self::cors_domains(signer_address.clone(), extra_cors);
 
 		let special = Arc::new({
 			let mut special = HashMap::new();
@@ -413,8 +430,9 @@ mod util_tests {
 		// given
 
 		// when
-		let none = Server::cors_domains(None);
-		let some = Server::cors_domains(Some(("127.0.0.1".into(), 18180)));
+		let none = Server::cors_domains(None, None);
+		let some = Server::cors_domains(Some(("127.0.0.1".into(), 18180)), None);
+		let extra = Server::cors_domains(None, Some(vec!["all".to_owned()]));
 
 		// then
 		assert_eq!(none, Vec::<String>::new());
@@ -425,7 +443,7 @@ mod util_tests {
 			"https://parity.web3.site".into(),
 			"https://parity.web3.site:18180".into(),
 			"https://127.0.0.1:18180".into()
-
 		]);
+		assert_eq!(extra, vec!["all".to_owned()]);
 	}
 }

dapps/src/tests/api.rs

@@ -14,7 +14,7 @@
 // You should have received a copy of the GNU General Public License
 // along with Parity.  If not, see <http://www.gnu.org/licenses/>.
 
-use tests::helpers::{serve, serve_with_registrar, request, assert_security_headers};
+use tests::helpers::{serve, serve_with_registrar, serve_extra_cors, request, assert_security_headers};
 
 #[test]
 fn should_return_error() {
@@ -212,3 +212,25 @@ fn should_return_signer_port_cors_headers_for_home_parity_with_port() {
 	);
 }
 
+#[test]
+fn should_return_extra_cors_headers() {
+	// given
+	let server = serve_extra_cors(Some(vec!["all".to_owned()]));
+
+	// when
+	let response = request(server,
+		"\
+			POST /api/ping HTTP/1.1\r\n\
+			Host: localhost:8080\r\n\
+			Origin: http://somedomain.io\r\n\
+			Connection: close\r\n\
+			\r\n\
+			{}
+		"
+	);
+
+	// then
+	response.assert_status("HTTP/1.1 200 OK");
+	response.assert_header("Access-Control-Allow-Origin", "http://somedomain.io");
+}
+

dapps/src/tests/helpers/mod.rs

@@ -109,6 +109,10 @@ pub fn serve_hosts(hosts: Option<Vec<String>>) -> ServerLoop {
 	init_server(|builder| builder.allowed_hosts(hosts), Default::default(), Remote::new_sync()).0
 }
 
+pub fn serve_extra_cors(extra_cors: Option<Vec<String>>) -> ServerLoop {
+	init_server(|builder| builder.allowed_hosts(None).extra_cors_headers(extra_cors), Default::default(), Remote::new_sync()).0
+}
+
 pub fn serve_with_registrar() -> (ServerLoop, Arc<FakeRegistrar>) {
 	init_server(|builder| builder.allowed_hosts(None), Default::default(), Remote::new_sync())
 }