Allow CORS header when using tonic-web

Question

I've create a gRPC web server like this:

use tonic_web::GrpcWebLayer;
use tonic::{
    transport::Server,
};

let grpc_web_handle = tokio::spawn(
   Server::builder()
         .accept_http1(true)
         .layer(GrpcWebLayer::new())
         .add_service(
             tonic_web::enable(
                 AuthServer::new(
                     AuthImpl::default()
                 )
             )
         )
         .serve("127.0.0.1:9001".parse()?)
)
//...

However, my firefox complains about CORS:

OPTIONS http://127.0.0.1:9001/auth.Auth/Login: (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)

Response:

HTTP/1.1 400 Bad Request
content-length: 0
date: Wed, 13 Dec 2023 22:25:53 GMT

I also tried to wrap the AuthServer into cors(AuthServer::new(...))

fn cors<S>(service: S) -> CorsGrpcWeb<S> where
    S: Service<http::Request<hyper::Body>, Response=http::Response<BoxBody>>,
    S: Clone + Send + 'static,
    S::Future: Send + 'static,
    S::Error: Into<BoxError> + Send
{
    CorsLayer::permissive().layer(tonic_web::enable(service)).into_inner()
}

Still not working.

tonic = {version = "0.10.2", features = []}
tonic-web = {version = "0.10.2",features = []}
tokio = { version = "1.34.0", features = ["full"] }

Answer 1

To enable CORS you can use below definition

tower-http = { version = "0.3", features = ["cors"] }

As they said in this PR

You can customize the CORS configuration composing the [GrpcWebLayer] with the cors layer of your choice.

Also found this example in their issues

  Server::builder()
       .accept_http1(true)
        .layer(
            CorsLayer::new()
                .allow_origin(AllowOrigin::mirror_request())
                .allow_credentials(true)
                .max_age(DEFAULT_MAX_AGE)
                .expose_headers(
                    DEFAULT_EXPOSED_HEADERS
                        .iter()
                        .cloned()
                        .map(HeaderName::from_static)
                        .collect::<Vec<HeaderName>>(),
                )
                .allow_headers(
                    DEFAULT_ALLOW_HEADERS
                        .iter()
                        .cloned()
                        .map(HeaderName::from_static)
                        .collect::<Vec<HeaderName>>(),
                ),
        )
       .layer(GrpcWebLayer::new())
       .add_service(greeter)
       .serve(addr)
       .await?;

Also check this comment too.