rack-cors 0.2.9 → 1.0.5

checksums.yaml

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    OTQyY2Q0OGNmOGZjMWNhOTc0OTdmOTY3ZTk0NDY0NzhmODE5YTI5Yg==
-  data.tar.gz: !binary |-
-    ZDQyMTJlMTg3MDczMmE0ZjFkMmZjOGExMGU3NDE0NmQ2MGY1YzBlZQ==
+SHA256:
+  metadata.gz: a12cdfc5aca2abf0cf86fb1ca217619fa6b40cad19721118016e064554f46ba0
+  data.tar.gz: 2874199b748909fdfd3e8ec601bd8620bc0235e60c66226259a79ff2404dbaf8
 SHA512:
-  metadata.gz: !binary |-
-    NGViNTEzOTIzZjc2ZjVhNjZkZDBmODQ5NzAzNzk3ZThiYzZkMGU2YTU3MmUx
-    NDc3ODlkMTIwNjFmNGZhOWUwZmNjMmEyN2YxZWQ1NTA3NDU3NjEzMGYyNDdi
-    NTM4ZTI3NmQ4ZTE1MmNjOGY5ZTBlNDk2YTQyZDQ0NzA5ZTc2NTE=
-  data.tar.gz: !binary |-
-    NGIwN2QwMjQ1OTQwNzY3M2MzYWFiNWI0Y2RjMjVmMTEzMTk3YjE1ZGJhNjQw
-    YzRjNzhkZTRmZGExYjU2YzU5Y2Q4OTkyNzAyYTFhODRmNGViOGI0MTQyNmNh
-    MjAwYjUxZjRkMGZjMjRmMDJhYjRiOWU2ZmNjNTFjNmEzZTY2YWQ=
+  metadata.gz: 2b71fe191ad396ab85e8c1966e979fa3516ee768bae6ed93fd1d43644eada8a455dbab00990ef22440ee7f82dab16a37b283897403d4eba674547bda1f0b86f5
+  data.tar.gz: a31481b3f6d9d45bdc522c444e923438f7f513a57796bf2cf6eaaa665d87f7479bf5f1e5f5ea8d380ce7194f0d3690823e1a681e55c17317cab29bf87b7a7303

data/.travis.yml

@@ -0,0 +1,8 @@
+language: ruby
+sudo: false
+rvm:
+  - 2.2
+  - 2.3
+  - 2.4
+  - 2.5
+  - 2.6

data/CHANGELOG.md

@@ -0,0 +1,73 @@
+# Change Log
+All notable changes to this project will be documented in this file.
+
+## 1.0.5 - 2019-11-14
+### Changed
+- Update Gem spec to require rack >= 1.6.0
+
+## 1.0.4 - 2019-11-13
+### Security
+- Escape and resolve path before evaluating resource rules (thanks to Colby Morgan)
+
+## 1.0.3 - 2019-03-24
+### Changed
+- Don't send 'Content-Type' header with pre-flight requests
+- Allow ruby array for  vary header config
+
+## 1.0.2 - 2017-10-22
+### Fixed
+- Automatically allow simple headers when headers are set
+
+## 1.0.1 - 2017-07-18
+### Fixed
+- Allow lambda origin configuration
+
+## 1.0.0 - 2017-07-15
+### Security
+- Don't implicitly accept 'null' origins when 'file://' is specified
+(https://github.com/cyu/rack-cors/pull/134)
+- Ignore '' origins (https://github.com/cyu/rack-cors/issues/139)
+- Default credentials option on resources to false
+(https://github.com/cyu/rack-cors/issues/95)
+- Don't allow credentials option to be true if '*' is specified is origin
+(https://github.com/cyu/rack-cors/pull/142)
+- Don't reflect Origin header when '*' is specified as origin
+(https://github.com/cyu/rack-cors/pull/142)
+
+### Fixed
+- Don't respond immediately on non-matching preflight requests instead of
+sending them through the app (https://github.com/cyu/rack-cors/pull/106)
+
+## 0.4.1 - 2017-02-01
+### Fixed
+- Return miss result in X-Rack-CORS instead of incorrectly returning
+preflight-hit
+
+## 0.4.0 - 2015-04-15
+### Changed
+- Don't set HTTP_ORIGIN with HTTP_X_ORIGIN if nil
+
+### Added
+- Calculate vary headers for non-CORS resources
+- Support custom vary headers for resource
+- Support :if option for resource
+- Support :any as a possible value for :methods option
+
+### Fixed
+- Don't symbolize incoming HTTP request methods
+
+## 0.3.1 - 2014-12-27
+### Changed
+- Changed the env key to rack.cors to avoid Rack::Lint warnings
+
+## 0.3.0 - 2014-10-19
+### Added
+- Added support for defining a logger with a Proc
+- Return a X-Rack-CORS header when in debug mode detailing how Rack::Cors
+processed a request
+- Added support for non HTTP/HTTPS origins when just a domain is specified
+
+### Changed
+- Changed the log level of the fallback logger to DEBUG
+- Print warning when attempting to use :any as an allowed method
+- Treat incoming `Origin: null` headers as file://

data/Gemfile

@@ -2,3 +2,5 @@ source 'https://rubygems.org'
 
 # Specify your gem's dependencies in rack-cors.gemspec
 gemspec
+
+gem 'pry-byebug', '~> 3.6.0'

data/README.md

@@ -0,0 +1,139 @@
+# Rack CORS Middleware [![Build Status](https://travis-ci.org/cyu/rack-cors.svg?branch=master)](https://travis-ci.org/cyu/rack-cors)
+
+`Rack::Cors` provides support for Cross-Origin Resource Sharing (CORS) for Rack compatible web applications.
+
+The [CORS spec](http://www.w3.org/TR/cors/) allows web applications to make cross domain AJAX calls without using workarounds such as JSONP. See [Cross-domain Ajax with Cross-Origin Resource Sharing](http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/)
+
+## Installation
+
+Install the gem:
+
+`gem install rack-cors`
+
+Or in your Gemfile:
+
+```ruby
+gem 'rack-cors'
+```
+
+
+## Configuration
+
+### Rails Configuration
+Put something like the code below in `config/application.rb` of your Rails application. For example, this will allow GET, POST or OPTIONS requests from any origin on any resource.
+
+```ruby
+module YourApp
+  class Application < Rails::Application
+    # ...
+    
+    # Rails 5
+
+    config.middleware.insert_before 0, Rack::Cors do
+      allow do
+        origins '*'
+        resource '*', headers: :any, methods: [:get, :post, :options]
+      end
+    end
+
+    # Rails 3/4
+
+    config.middleware.insert_before 0, "Rack::Cors" do
+      allow do
+        origins '*'
+        resource '*', headers: :any, methods: [:get, :post, :options]
+      end
+    end
+  end
+end
+```
+
+We use `insert_before` to make sure `Rack::Cors` runs at the beginning of the stack to make sure it isn't interfered with by other middleware (see `Rack::Cache` note in **Common Gotchas** section). Check out the [rails 4 example](https://github.com/cyu/rack-cors/tree/master/examples/rails4) and [rails 3 example](https://github.com/cyu/rack-cors/tree/master/examples/rails3).
+
+See The [Rails Guide to Rack](http://guides.rubyonrails.org/rails_on_rack.html) for more details on rack middlewares or watch the [railscast](http://railscasts.com/episodes/151-rack-middleware).
+
+### Rack Configuration
+
+NOTE: If you're running Rails, updating in `config/application.rb` should be enough.  There is no need to update `config.ru` as well.
+
+In `config.ru`, configure `Rack::Cors` by passing a block to the `use` command:
+
+```ruby
+use Rack::Cors do
+  allow do
+    origins 'localhost:3000', '127.0.0.1:3000',
+            /\Ahttp:\/\/192\.168\.0\.\d{1,3}(:\d+)?\z/
+            # regular expressions can be used here
+
+    resource '/file/list_all/', :headers => 'x-domain-token'
+    resource '/file/at/*',
+        methods: [:get, :post, :delete, :put, :patch, :options, :head],
+        headers: 'x-domain-token',
+        expose: ['Some-Custom-Response-Header'],
+        max_age: 600
+        # headers to expose
+  end
+
+  allow do
+    origins '*'
+    resource '/public/*', headers: :any, methods: :get
+
+    # Only allow a request for a specific host
+    resource '/api/v1/*',
+        headers: :any,
+        methods: :get,
+        if: proc { |env| env['HTTP_HOST'] == 'api.example.com' }
+  end
+end
+```
+
+### Configuration Reference
+
+#### Middleware Options
+* **debug** (boolean):  Enables debug logging and `X-Rack-CORS` HTTP headers for debugging.
+* **logger** (Object or Proc): Specify the logger to log to.  If a proc is provided, it will be called when a logger is needed.  This is helpful in cases where the logger is initialized after `Rack::Cors` is initially configured, like `Rails.logger`.
+
+#### Origin
+Origins can be specified as a string, a regular expression, or as '\*' to allow all origins.
+
+**\*SECURITY NOTE:** Be careful when using regular expressions to not accidentally be too inclusive.  For example, the expression `/https:\/\/example\.com/` will match the domain *example.com.randomdomainname.co.uk*.  It is recommended that any regular expression be enclosed with start & end string anchors (`\A\z`).
+
+Additionally, origins can be specified dynamically via a block of the following form:
+```ruby
+  origins { |source, env| true || false }
+```
+
+A Resource path can be specified as exact string match (`/path/to/file.txt`) or with a '\*' wildcard (`/all/files/in/*`).  To include all of a directory's files and the files in its subdirectories, use this form: `/assets/**/*`.  A resource can take the following options:
+
+* **methods** (string or array or `:any`): The HTTP methods allowed for the resource.
+* **headers** (string or array or `:any`): The HTTP headers that will be allowed in the CORS resource request.  Use `:any` to allow for any headers in the actual request.
+* **expose** (string or array): The HTTP headers in the resource response can be exposed to the client.
+* **credentials** (boolean, default: `false`): Sets the `Access-Control-Allow-Credentials` response header. **Note:** If a wildcard (`*`) origin is specified, this option cannot be set to `true`.  Read this [security article](http://web-in-security.blogspot.de/2017/07/cors-misconfigurations-on-large-scale.html) for more information.
+* **max_age** (number): Sets the `Access-Control-Max-Age` response header.
+* **if** (Proc): If the result of the proc is true, will process the request as a valid CORS request.
+* **vary** (string or array): A list of HTTP headers to add to the 'Vary' header.
+
+
+## Common Gotchas
+
+Incorrect positioning of `Rack::Cors` in the middleware stack can produce unexpected results.  The Rails example above will put it above all middleware which should cover most issues.
+
+Here are some common cases:
+
+* **Serving static files.**  Insert this middleware before `ActionDispatch::Static` so that static files are served with the proper CORS headers (see note below for a caveat).  **NOTE:** that this might not work in production environments as static files are usually served from the web server (Nginx, Apache) and not the Rails container.
+
+* **Caching in the middleware.**  Insert this middleware before `Rack::Cache` so that the proper CORS headers are written and not cached ones.
+
+* **Authentication via Warden**  Warden will return immediately if a resource that requires authentication is accessed without authentication.  If `Warden::Manager`is in the stack before `Rack::Cors`, it will return without the correct CORS headers being applied, resulting in a failed CORS request.  Be sure to insert this middleware before 'Warden::Manager`.
+
+To determine where to put the CORS middleware in the Rack stack, run the following command:
+
+```bash
+bundle exec rake middleware
+```
+
+In many cases, the Rack stack will be different running in production environments.  For example, the `ActionDispatch::Static` middleware will not be part of the stack if `config.serve_static_assets = false`.  You can run the following command to see what your middleware stack looks like in production:
+
+```bash
+RAILS_ENV=production bundle exec rake middleware
+```

data/lib/rack/cors.rb

@@ -2,10 +2,41 @@ require 'logger'
 
 module Rack
   class Cors
+    HTTP_ORIGIN   = 'HTTP_ORIGIN'.freeze
+    HTTP_X_ORIGIN = 'HTTP_X_ORIGIN'.freeze
+
+    HTTP_ACCESS_CONTROL_REQUEST_METHOD  = 'HTTP_ACCESS_CONTROL_REQUEST_METHOD'.freeze
+    HTTP_ACCESS_CONTROL_REQUEST_HEADERS = 'HTTP_ACCESS_CONTROL_REQUEST_HEADERS'.freeze
+
+    PATH_INFO      = 'PATH_INFO'.freeze
+    REQUEST_METHOD = 'REQUEST_METHOD'.freeze
+
+    RACK_LOGGER = 'rack.logger'.freeze
+    RACK_CORS   =
+    # retaining the old key for backwards compatibility
+    ENV_KEY     = 'rack.cors'.freeze
+
+    OPTIONS     = 'OPTIONS'.freeze
+    VARY        = 'Vary'.freeze
+
+    DEFAULT_VARY_HEADERS = ['Origin'].freeze
+
+    # All CORS routes need to accept CORS simple headers at all times
+    # {https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers}
+    CORS_SIMPLE_HEADERS = ['accept', 'accept-language', 'content-language', 'content-type'].freeze
+
     def initialize(app, opts={}, &block)
       @app = app
-      @logger = opts[:logger]
       @debug_mode = !!opts[:debug]
+      @logger = @logger_proc = nil
+
+      if logger = opts[:logger]
+        if logger.respond_to? :call
+          @logger_proc = opts[:logger]
+        else
+          @logger = logger
+        end
+      end
 
       if block_given?
         if block.arity == 1
@@ -16,6 +47,10 @@ module Rack
       end
     end
 
+    def debug?
+      @debug_mode
+    end
+
     def allow(&block)
       all_resources << (resources = Resources.new)
 
@@ -27,90 +62,232 @@ module Rack
     end
 
     def call(env)
-      env['HTTP_ORIGIN'] = 'file://' if env['HTTP_ORIGIN'] == 'null'
-      env['HTTP_ORIGIN'] ||= env['HTTP_X_ORIGIN']
+      env[HTTP_ORIGIN] ||= env[HTTP_X_ORIGIN] if env[HTTP_X_ORIGIN]
 
-      cors_headers = nil
-      if env['HTTP_ORIGIN']
+      path = evaluate_path(env)
+
+      add_headers = nil
+      if env[HTTP_ORIGIN]
         debug(env) do
           [ 'Incoming Headers:',
-            "  Origin: #{env['HTTP_ORIGIN']}",
-            "  Access-Control-Request-Method: #{env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']}",
-            "  Access-Control-Request-Headers: #{env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}"
+            "  Origin: #{env[HTTP_ORIGIN]}",
+            "  Path-Info: #{path}",
+            "  Access-Control-Request-Method: #{env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]}",
+            "  Access-Control-Request-Headers: #{env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]}"
             ].join("\n")
         end
-        if env['REQUEST_METHOD'] == 'OPTIONS' and env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']
-          if headers = process_preflight(env)
-            debug(env) do
-              "Preflight Headers:\n" +
-                  headers.collect{|kv| "  #{kv.join(': ')}"}.join("\n")
-            end
-            return [200, headers, []]
+        if env[REQUEST_METHOD] == OPTIONS and env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
+          headers = process_preflight(env, path)
+          debug(env) do
+            "Preflight Headers:\n" +
+                headers.collect{|kv| "  #{kv.join(': ')}"}.join("\n")
           end
+          return [200, headers, []]
         else
-          cors_headers = process_cors(env)
+          add_headers = process_cors(env, path)
         end
+      else
+        Result.miss(env, Result::MISS_NO_ORIGIN)
       end
+
+      # This call must be done BEFORE calling the app because for some reason
+      # env[PATH_INFO] gets changed after that and it won't match. (At least
+      # in rails 4.1.6)
+      vary_resource = resource_for_path(path)
+
       status, headers, body = @app.call env
-      if cors_headers
-        headers = headers.merge(cors_headers)
 
-        # http://www.w3.org/TR/cors/#resource-implementation
-        unless headers['Access-Control-Allow-Origin'] == '*'
-          vary = headers['Vary']
-          headers['Vary'] = ((vary ? vary.split(/,\s*/) : []) + ['Origin']).uniq.join(', ')
+      if add_headers
+        headers = add_headers.merge(headers)
+        debug(env) do
+          add_headers.each_pair do |key, value|
+            if headers.has_key?(key)
+              headers["X-Rack-CORS-Original-#{key}"] = value
+            end
+          end
+        end
+      end
+
+      # Vary header should ALWAYS mention Origin if there's ANY chance for the
+      # response to be different depending on the Origin header value.
+      # Better explained here: http://www.fastly.com/blog/best-practices-for-using-the-vary-header/
+      if vary_resource
+        vary = headers[VARY]
+        cors_vary_headers = if vary_resource.vary_headers && vary_resource.vary_headers.any?
+          vary_resource.vary_headers
+        else
+          DEFAULT_VARY_HEADERS
         end
+        headers[VARY] = ((vary ? ([vary].flatten.map { |v| v.split(/,\s*/) }.flatten) : []) + cors_vary_headers).uniq.join(', ')
       end
+
+      if debug? && result = env[RACK_CORS]
+        result.append_header(headers)
+      end
+
       [status, headers, body]
     end
 
     protected
       def debug(env, message = nil, &block)
-        if @debug_mode
-          logger = @logger || env['rack.logger'] || begin
-            @logger = ::Logger.new(STDOUT).tap {|logger| logger.level = ::Logger::Severity::INFO}
-          end
-          logger.debug(message, &block)
+        (@logger || select_logger(env)).debug(message, &block) if debug?
+      end
+
+      def select_logger(env)
+        @logger = if @logger_proc
+          logger_proc = @logger_proc
+          @logger_proc = nil
+          logger_proc.call
+
+        elsif defined?(Rails) && Rails.respond_to?(:logger) && Rails.logger
+          Rails.logger
+
+        elsif env[RACK_LOGGER]
+          env[RACK_LOGGER]
+
+        else
+          ::Logger.new(STDOUT).tap { |logger| logger.level = ::Logger::Severity::DEBUG }
         end
       end
 
+      def evaluate_path(env)
+        path = env[PATH_INFO]
+        path = Rack::Utils.clean_path_info(Rack::Utils.unescape_path(path)) if path
+        path
+      end
+
       def all_resources
         @all_resources ||= []
       end
 
-      def process_preflight(env)
-        resource = find_resource(env['HTTP_ORIGIN'], env['PATH_INFO'],env)
-        resource && resource.process_preflight(env)
+      def process_preflight(env, path)
+        result = Result.preflight(env)
+
+        resource, error = match_resource(path, env)
+        unless resource
+          result.miss(error)
+          return {}
+        end
+
+        return resource.process_preflight(env, result)
       end
 
-      def process_cors(env)
-        resource = find_resource(env['HTTP_ORIGIN'], env['PATH_INFO'],env)
-        resource.to_headers(env) if resource
+      def process_cors(env, path)
+        resource, error = match_resource(path, env)
+        if resource
+          Result.hit(env)
+          cors = resource.to_headers(env)
+          cors
+
+        else
+          Result.miss(env, error)
+          nil
+        end
       end
 
-      def find_resource(origin, path, env)
+      def resource_for_path(path_info)
         all_resources.each do |r|
-          if r.allow_origin?(origin, env) and found = r.find_resource(path)
+          if found = r.resource_for_path(path_info)
             return found
           end
         end
         nil
       end
 
+      def match_resource(path, env)
+        origin = env[HTTP_ORIGIN]
+
+        origin_matched = false
+        all_resources.each do |r|
+          if r.allow_origin?(origin, env)
+            origin_matched = true
+            if found = r.match_resource(path, env)
+              return [found, nil]
+            end
+          end
+        end
+
+        [nil, origin_matched ? Result::MISS_NO_PATH : Result::MISS_NO_ORIGIN]
+      end
+
+      class Result
+        HEADER_KEY = 'X-Rack-CORS'.freeze
+
+        MISS_NO_ORIGIN = 'no-origin'.freeze
+        MISS_NO_PATH   = 'no-path'.freeze
+
+        MISS_NO_METHOD   = 'no-method'.freeze
+        MISS_DENY_METHOD = 'deny-method'.freeze
+        MISS_DENY_HEADER = 'deny-header'.freeze
+
+        attr_accessor :preflight, :hit, :miss_reason
+
+        def hit?
+          !!hit
+        end
+
+        def preflight?
+          !!preflight
+        end
+
+        def miss(reason)
+          self.hit = false
+          self.miss_reason = reason
+        end
+
+        def self.hit(env)
+          r = Result.new
+          r.preflight = false
+          r.hit = true
+          env[RACK_CORS] = r
+        end
+
+        def self.miss(env, reason)
+          r = Result.new
+          r.preflight = false
+          r.hit = false
+          r.miss_reason = reason
+          env[RACK_CORS] = r
+        end
+
+        def self.preflight(env)
+          r = Result.new
+          r.preflight = true
+          env[RACK_CORS] = r
+        end
+
+
+        def append_header(headers)
+          headers[HEADER_KEY] = if hit?
+            preflight? ? 'preflight-hit' : 'hit'
+          else
+            [
+              (preflight? ? 'preflight-miss' : 'miss'),
+              miss_reason
+            ].join('; ')
+          end
+        end
+      end
+
       class Resources
+
+        attr_reader :resources
+
         def initialize
           @origins = []
           @resources = []
           @public_resources = false
         end
 
-        def origins(*args,&blk)
-          @origins = args.flatten.collect do |n|
+        def origins(*args, &blk)
+          @origins = args.flatten.reject{ |s| s == '' }.map do |n|
             case n
-            when Regexp, /^https?:\/\// then n
-            when 'file://'              then n
-            when '*'                    then @public_resources = true; n
-            else                        ["http://#{n}", "https://#{n}"]
+            when Proc,
+                 Regexp,
+                 /^https?:\/\//,
+                 'file://'        then n
+            when '*'              then @public_resources = true; n
+            else                  Regexp.compile("^[a-z][a-z0-9.+-]*:\\\/\\\/#{Regexp.quote(n)}$")
             end
           end.flatten
           @origins.push(blk) if blk
@@ -126,6 +303,7 @@ module Rack
 
         def allow_origin?(source,env = {})
           return true if public_resources?
+
           return !! @origins.detect do |origin|
             if origin.is_a?(Proc)
               origin.call(source,env)
@@ -135,21 +313,36 @@ module Rack
           end
         end
 
-        def find_resource(path)
-          @resources.detect{|r| r.match?(path)}
+        def match_resource(path, env)
+          @resources.detect { |r| r.match?(path, env) }
+        end
+
+        def resource_for_path(path)
+          @resources.detect { |r| r.matches_path?(path) }
         end
+
       end
 
       class Resource
-        attr_accessor :path, :methods, :headers, :expose, :max_age, :credentials, :pattern
+        class CorsMisconfigurationError < StandardError
+          def message
+            "Allowing credentials for wildcard origins is insecure."\
+            " Please specify more restrictive origins or set 'credentials' to false in your CORS configuration."
+          end
+        end
+
+        attr_accessor :path, :methods, :headers, :expose, :max_age, :credentials, :pattern, :if_proc, :vary_headers
 
         def initialize(public_resource, path, opts={})
-          self.path        = path
-          self.methods     = ensure_enum(opts[:methods]) || [:get]
-          self.credentials = opts[:credentials].nil? ? true : opts[:credentials]
-          self.max_age     = opts[:max_age] || 1728000
-          self.pattern     = compile(path)
-          @public_resource = public_resource
+          raise CorsMisconfigurationError if public_resource && opts[:credentials] == true
+
+          self.path         = path
+          self.credentials  = public_resource ? false : (opts[:credentials] == true)
+          self.max_age      = opts[:max_age] || 7200
+          self.pattern      = compile(path)
+          self.if_proc      = opts[:if]
+          self.vary_headers = opts[:vary] && [opts[:vary]].flatten
+          @public_resource  = public_resource
 
           self.headers = case opts[:headers]
           when :any then :any
@@ -158,22 +351,46 @@ module Rack
             [opts[:headers]].flatten.collect{|h| h.downcase}
           end
 
+          self.methods = case opts[:methods]
+          when :any then [:get, :head, :post, :put, :patch, :delete, :options]
+          else
+            ensure_enum(opts[:methods]) || [:get]
+          end.map{|e| e.to_s }
+
           self.expose = opts[:expose] ? [opts[:expose]].flatten : nil
         end
 
-        def match?(path)
+        def matches_path?(path)
           pattern =~ path
         end
 
-        def process_preflight(env)
-          return nil if invalid_method_request?(env) || invalid_headers_request?(env)
-          {'Content-Type' => 'text/plain'}.merge(to_preflight_headers(env))
+        def match?(path, env)
+          matches_path?(path) && (if_proc.nil? || if_proc.call(env))
+        end
+
+        def process_preflight(env, result)
+          headers = {}
+
+          request_method = env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
+          if request_method.nil?
+            result.miss(Result::MISS_NO_METHOD) and return headers
+          end
+          if !methods.include?(request_method.downcase)
+            result.miss(Result::MISS_DENY_METHOD) and return headers
+          end
+
+          request_headers = env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]
+          if request_headers && !allow_headers?(request_headers)
+            result.miss(Result::MISS_DENY_HEADER) and return headers
+          end
+
+          result.hit = true
+          headers.merge(to_preflight_headers(env))
         end
 
         def to_headers(env)
-          x_origin = env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']
           h = {
-            'Access-Control-Allow-Origin'     => origin_for_response_header(env['HTTP_ORIGIN']),
+            'Access-Control-Allow-Origin'     => origin_for_response_header(env[HTTP_ORIGIN]),
             'Access-Control-Allow-Methods'    => methods.collect{|m| m.to_s.upcase}.join(', '),
             'Access-Control-Expose-Headers'   => expose.nil? ? '' : expose.join(', '),
             'Access-Control-Max-Age'          => max_age.to_s }
@@ -187,33 +404,27 @@ module Rack
           end
 
           def origin_for_response_header(origin)
-            return '*' if public_resource? && !credentials
-            origin == 'file://' ? 'null' : origin
+            return '*' if public_resource?
+            origin
           end
 
           def to_preflight_headers(env)
             h = to_headers(env)
-            if env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']
-              h.merge!('Access-Control-Allow-Headers' => env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])
+            if env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]
+              h.merge!('Access-Control-Allow-Headers' => env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS])
             end
             h
           end
 
-          def invalid_method_request?(env)
-            request_method = env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']
-            request_method.nil? || !methods.include?(request_method.downcase.to_sym)
-          end
-
-          def invalid_headers_request?(env)
-            request_headers = env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']
-            request_headers && !allow_headers?(request_headers)
-          end
-
           def allow_headers?(request_headers)
-            return false if headers.nil?
-            headers == :any || begin
-              request_headers = request_headers.split(/,\s*/) if request_headers.kind_of?(String)
-              request_headers.all?{|h| headers.include?(h.downcase)}
+            headers = self.headers || []
+            if headers == :any
+              return true
+            end
+            request_headers = request_headers.split(/,\s*/) if request_headers.kind_of?(String)
+            request_headers.all? do |header|
+              header = header.downcase
+              CORS_SIMPLE_HEADERS.include?(header) || headers.include?(header)
             end
           end