From af3ee48a9a8ea4ff95881e0f16b59f7e4e6bc012 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jun 2026 13:17:25 +0000 Subject: [PATCH 1/3] chore(deps): bump tower-http from 0.6.11 to 0.7.0 Bumps [tower-http](https://github.com/tower-rs/tower-http) from 0.6.11 to 0.7.0. - [Release notes](https://github.com/tower-rs/tower-http/releases) - [Commits](https://github.com/tower-rs/tower-http/compare/tower-http-0.6.11...tower-http-0.7.0) --- updated-dependencies: - dependency-name: tower-http dependency-version: 0.7.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Cargo.lock | 19 +++++++++++++++++-- Cargo.toml | 2 +- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index d859fea..52c9180 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -92,7 +92,7 @@ dependencies = [ "serde_json", "thiserror", "tokio", - "tower-http", + "tower-http 0.7.0", "tracing", "tracing-subscriber", "url", @@ -1942,7 +1942,7 @@ dependencies = [ "tokio-rustls", "tokio-util", "tower", - "tower-http", + "tower-http 0.6.11", "tower-service", "url", "wasm-bindgen", @@ -2679,6 +2679,21 @@ dependencies = [ "url", ] +[[package]] +name = "tower-http" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b11f75e912b0c2be01b63d8cf8057b8c3f97cf34abb3d431a3a4c8675498e233" +dependencies = [ + "bitflags", + "bytes", + "http", + "percent-encoding", + "pin-project-lite", + "tower-layer", + "tower-service", +] + [[package]] name = "tower-layer" version = "0.3.3" diff --git a/Cargo.toml b/Cargo.toml index 7270daa..4c86237 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -79,7 +79,7 @@ open = "5" rustc-hash = "2.1.1" shell-words = "1.1" strip-ansi-escapes = "0.2" -tower-http = "0.6" +tower-http = "0.7" windows-sys = "0.61" From 03570c7ffbeafb6cd6dad313bdcde5b47d0db337 Mon Sep 17 00:00:00 2001 From: Ben Brandt Date: Mon, 22 Jun 2026 21:41:27 +0200 Subject: [PATCH 2/3] Adjust cors for new version --- Cargo.lock | 1 + Cargo.toml | 1 + src/agent-client-protocol-http/Cargo.toml | 1 + src/agent-client-protocol-http/src/server.rs | 60 +++++++++++++++++++- 4 files changed, 62 insertions(+), 1 deletion(-) diff --git a/Cargo.lock b/Cargo.lock index 52c9180..6bdc7be 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -92,6 +92,7 @@ dependencies = [ "serde_json", "thiserror", "tokio", + "tower", "tower-http 0.7.0", "tracing", "tracing-subscriber", diff --git a/Cargo.toml b/Cargo.toml index 4c86237..7a12647 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -80,6 +80,7 @@ rustc-hash = "2.1.1" shell-words = "1.1" strip-ansi-escapes = "0.2" tower-http = "0.7" +tower = { version = "0.5", features = ["util"] } windows-sys = "0.61" diff --git a/src/agent-client-protocol-http/Cargo.toml b/src/agent-client-protocol-http/Cargo.toml index 9c29358..9a71c55 100644 --- a/src/agent-client-protocol-http/Cargo.toml +++ b/src/agent-client-protocol-http/Cargo.toml @@ -73,6 +73,7 @@ axum = { workspace = true, features = ["ws", "macros"] } tokio = { workspace = true, features = ["macros", "net", "rt", "sync", "time"] } async-tungstenite.workspace = true tracing-subscriber.workspace = true +tower.workspace = true [lints] workspace = true diff --git a/src/agent-client-protocol-http/src/server.rs b/src/agent-client-protocol-http/src/server.rs index a310997..695b169 100644 --- a/src/agent-client-protocol-http/src/server.rs +++ b/src/agent-client-protocol-http/src/server.rs @@ -65,7 +65,7 @@ impl CorsOptions { match self { Self::Disabled => None, Self::AllowOrigins(origins) => Some(AllowOrigin::list(origins.clone())), - Self::AllowAnyOrigin => Some(AllowOrigin::mirror_request()), + Self::AllowAnyOrigin => Some(AllowOrigin::any()), } } @@ -196,6 +196,8 @@ async fn handle_get( #[cfg(test)] mod tests { use super::*; + use axum::body::Body; + use tower::{Layer as _, ServiceExt as _, service_fn}; #[test] fn cors_is_disabled_by_default() { @@ -227,4 +229,60 @@ mod tests { assert!(CorsOptions::allow_any_origin().allows_origin(Some(&origin))); } + + #[tokio::test] + async fn allow_any_origin_uses_wildcard_cors_header() { + let response = default_cors( + CorsOptions::allow_any_origin() + .allow_origin_layer() + .expect("CORS layer"), + ) + .layer(service_fn(|_: axum::http::Request| async { + Ok::<_, std::convert::Infallible>(Response::new(Body::empty())) + })) + .oneshot( + axum::http::Request::builder() + .header(header::ORIGIN, "https://example.com") + .body(Body::empty()) + .unwrap(), + ) + .await + .unwrap(); + + assert_eq!( + response.headers().get(header::ACCESS_CONTROL_ALLOW_ORIGIN), + Some(&HeaderValue::from_static("*")) + ); + assert!(response.headers().get(header::VARY).is_none()); + } + + #[tokio::test] + async fn allowlisted_origins_vary_by_origin() { + let response = default_cors( + CorsOptions::allow_origins(["https://example.com"]) + .unwrap() + .allow_origin_layer() + .expect("CORS layer"), + ) + .layer(service_fn(|_: axum::http::Request| async { + Ok::<_, std::convert::Infallible>(Response::new(Body::empty())) + })) + .oneshot( + axum::http::Request::builder() + .header(header::ORIGIN, "https://example.com") + .body(Body::empty()) + .unwrap(), + ) + .await + .unwrap(); + + assert_eq!( + response.headers().get(header::ACCESS_CONTROL_ALLOW_ORIGIN), + Some(&HeaderValue::from_static("https://example.com")) + ); + assert_eq!( + response.headers().get(header::VARY), + Some(&HeaderValue::from_static("origin")) + ); + } } From b7c3b62e63ad33549c3d1e341c7f7de240d47f2f Mon Sep 17 00:00:00 2001 From: Ben Brandt Date: Mon, 22 Jun 2026 21:45:01 +0200 Subject: [PATCH 3/3] reorder cargo.toml --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index 7a12647..31e6425 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -79,8 +79,8 @@ open = "5" rustc-hash = "2.1.1" shell-words = "1.1" strip-ansi-escapes = "0.2" -tower-http = "0.7" tower = { version = "0.5", features = ["util"] } +tower-http = "0.7" windows-sys = "0.61"