RubyGems - rack-cors - Versions diffs - 0.3.1 → 0.4.0 - Mend

rack-cors 0.3.1 → 0.4.0

Potentially problematic release.

This version of rack-cors might be problematic. Click here for more details.

Files changed (8) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0e212c45ff98679f235b713d3ae97074667cd4af
-  data.tar.gz: aacdef32fae6abecbfca418af44cb2d2f0f838c6
+  metadata.gz: 7dff10b0f517624773d305e553e1f6720dc576ac
+  data.tar.gz: 0919837eb9b79cedeb5c638ae9e9169ae4587dd6
 SHA512:
-  metadata.gz: 99702620fc7e5af96a9d340a6715dc9e56823d7e5dc48273cbc7fbba219d4ce7c637916f9b92f6b19cf9bf31c302bd55f0ec5d82889d9f31c4c593cfb6cc1462
-  data.tar.gz: 361ac5ff10a838811532d36351bdea83dd30a7551f757cdc3b717b6725545ad42866c186e06c721b90292cd9e3d496548112880a08cd71f61b5f2557287aab19
+  metadata.gz: acf2fa484542085cd98d4e4eafd9a62d9bf38a156e67015829c1c58ba8b899866afb6489f5202122ad2f7b4f70e9bd0c69253590dfb7c52c43095168d67f79bd
+  data.tar.gz: 3b40c2862c728310236da3070f061b040c8090068142ffe0decdd16d66f3cdf83e4520ccf07c6cde38bb43b95cd8e7d38d6f4cbb6a1e4d06d4eb2324901ff531

data/CHANGELOG CHANGED

@@ -1,6 +1,17 @@
 # Change Log
 All notable changes to this project will be documented in this file.
+## 0.4.0 - 2015-04-15
+### Changed
+- Don't set HTTP_ORIGIN with HTTP_X_ORIGIN if nil
+### Added
+- Calculate vary headers for non-CORS resources
+- Support custom vary headers for resource
+- Support :if option for resource
+- Support :any as a possible value for :methods option
+### Fixed
+- Don't symbolize incoming HTTP request methods
 ## 0.3.1 - 2014-12-27
 ### Changed
 - Changed the env key to rack.cors to avoid Rack::Lint warnings

data/README.md CHANGED

@@ -83,9 +83,11 @@ A Resource path can be specified as exact string match (`/path/to/file.txt`) or
 * **methods** (string or array): The HTTP methods allowed for the resource.
 * **headers** (string or array or `:any`): The HTTP headers that will be allowed in the CORS resource request.  Use `:any` to allow for any headers in the actual request.
-* **expose** (string or an array): The HTTP headers in the resource response can can be exposed to the client.
+* **expose** (string or array): The HTTP headers in the resource response can can be exposed to the client.
 * **credentials** (boolean): Sets the `Access-Control-Allow-Credentials` response header.
 * **max_age** (number): Sets the `Access-Control-Max-Age` response header.
+* **if** (Proc): If the result of the proc is true, will process the request as a valid CORS request.
+* **vary** (string or array): A list of HTTP headers to add to the 'Vary' header.
 ## Common Gotchas
@@ -109,5 +111,5 @@ bundle exec rake middleware
 In many cases, the Rack stack will be different running in production environments.  For example, the `ActionDispatch::Static` middleware will not be part of the stack if `config.serve_static_assets = false`.  You can run the following command to see what your middleware stack looks like in production:
 ```bash
-bundle exec RAILS_ENV=production rake middleware
+RAILS_ENV=production bundle exec rake middleware
 ```

data/lib/rack/cors.rb CHANGED

@@ -5,7 +5,10 @@ module Rack
     ENV_KEY = 'rack.cors'.freeze
     ORIGIN_HEADER_KEY     = 'HTTP_ORIGIN'.freeze
+    ORIGIN_X_HEADER_KEY   = 'HTTP_X_ORIGIN'.freeze
     PATH_INFO_HEADER_KEY  = 'PATH_INFO'.freeze
+    VARY_HEADER_KEY       = 'Vary'.freeze
+    DEFAULT_VARY_HEADERS  = ['Origin'].freeze
     def initialize(app, opts={}, &block)
       @app = app
@@ -43,7 +46,7 @@ module Rack
     end
     def call(env)
-      env[ORIGIN_HEADER_KEY] ||= env['HTTP_X_ORIGIN']
+      env[ORIGIN_HEADER_KEY] ||= env[ORIGIN_X_HEADER_KEY] if env[ORIGIN_X_HEADER_KEY]
       add_headers = nil
       if env[ORIGIN_HEADER_KEY]
@@ -69,16 +72,28 @@ module Rack
         Result.miss(env, Result::MISS_NO_ORIGIN)
       end
+      # This call must be done BEFORE calling the app because for some reason
+      # env[PATH_INFO_HEADER_KEY] gets changed after that and it won't match.
+      # (At least in rails 4.1.6)
+      vary_resource = resource_for_path(env[PATH_INFO_HEADER_KEY])
       status, headers, body = @app.call env
       if add_headers
         headers = headers.merge(add_headers)
+      end
-        # http://www.w3.org/TR/cors/#resource-implementation
-        unless headers['Access-Control-Allow-Origin'] == '*'
-          vary = headers['Vary']
-          headers['Vary'] = ((vary ? vary.split(/,\s*/) : []) + ['Origin']).uniq.join(', ')
+      # Vary header should ALWAYS mention Origin if there's ANY chance for the
+      # response to be different depending on the Origin header value.
+      # Better explained here: http://www.fastly.com/blog/best-practices-for-using-the-vary-header/
+      if vary_resource
+        vary = headers[VARY_HEADER_KEY]
+        cors_vary_headers = if vary_resource.vary_headers && vary_resource.vary_headers.any?
+          vary_resource.vary_headers
+        else
+          DEFAULT_VARY_HEADERS
         end
+        headers[VARY_HEADER_KEY] = ((vary ? vary.split(/,\s*/) : []) + cors_vary_headers).uniq.join(', ')
       end
       if debug? && result = env[ENV_KEY]
@@ -115,7 +130,7 @@ module Rack
       end
       def process_preflight(env)
-        resource, error = find_resource(env)
+        resource, error = match_resource(env)
         if resource
           Result.preflight_hit(env)
           preflight = resource.process_preflight(env)
@@ -128,7 +143,7 @@ module Rack
       end
       def process_cors(env)
-        resource, error = find_resource(env)
+        resource, error = match_resource(env)
         if resource
           Result.hit(env)
           cors = resource.to_headers(env)
@@ -140,7 +155,16 @@ module Rack
         end
       end
-      def find_resource(env)
+      def resource_for_path(path_info)
+        all_resources.each do |r|
+          if found = r.resource_for_path(path_info)
+            return found
+          end
+        end
+        nil
+      end
+      def match_resource(env)
         path   = env[PATH_INFO_HEADER_KEY]
         origin = env[ORIGIN_HEADER_KEY]
@@ -148,7 +172,7 @@ module Rack
         all_resources.each do |r|
           if r.allow_origin?(origin, env)
             origin_matched = true
-            if found = r.find_resource(path)
+            if found = r.match_resource(path, env)
               return [found, nil]
             end
           end
@@ -257,21 +281,27 @@ module Rack
           end
         end
-        def find_resource(path)
-          @resources.detect{|r| r.match?(path)}
+        def match_resource(path, env)
+          @resources.detect { |r| r.match?(path, env) }
         end
+        def resource_for_path(path)
+          @resources.detect { |r| r.matches_path?(path) }
+        end
       end
       class Resource
-        attr_accessor :path, :methods, :headers, :expose, :max_age, :credentials, :pattern
+        attr_accessor :path, :methods, :headers, :expose, :max_age, :credentials, :pattern, :if_proc, :vary_headers
         def initialize(public_resource, path, opts={})
-          self.path        = path
-          self.methods     = prepare_and_validate_methods_option(opts[:methods]) || [:get]
-          self.credentials = opts[:credentials].nil? ? true : opts[:credentials]
-          self.max_age     = opts[:max_age] || 1728000
-          self.pattern     = compile(path)
-          @public_resource = public_resource
+          self.path         = path
+          self.credentials  = opts[:credentials].nil? ? true : opts[:credentials]
+          self.max_age      = opts[:max_age] || 1728000
+          self.pattern      = compile(path)
+          self.if_proc      = opts[:if]
+          self.vary_headers = opts[:vary] && [opts[:vary]].flatten
+          @public_resource  = public_resource
           self.headers = case opts[:headers]
           when :any then :any
@@ -280,13 +310,23 @@ module Rack
             [opts[:headers]].flatten.collect{|h| h.downcase}
           end
+          self.methods = case opts[:methods]
+          when :any then [:get, :head, :post, :put, :patch, :delete, :options]
+          else
+            ensure_enum(opts[:methods]) || [:get]
+          end.map{|e| e.to_s }
           self.expose = opts[:expose] ? [opts[:expose]].flatten : nil
         end
-        def match?(path)
+        def matches_path?(path)
           pattern =~ path
         end
+        def match?(path, env)
+          matches_path?(path) && (if_proc.nil? || if_proc.call(env))
+        end
         def process_preflight(env)
           return nil if invalid_method_request?(env) || invalid_headers_request?(env)
           {'Content-Type' => 'text/plain'}.merge(to_preflight_headers(env))
@@ -323,7 +363,7 @@ module Rack
           def invalid_method_request?(env)
             request_method = env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']
-            request_method.nil? || !methods.include?(request_method.downcase.to_sym)
+            request_method.nil? || !methods.include?(request_method.downcase)
           end
           def invalid_headers_request?(env)
@@ -339,11 +379,6 @@ module Rack
             end
           end
-          def prepare_and_validate_methods_option setting
-            raise ArgumentError.new("rack-cors methods must be an single HTTP verb, or an array of verbs") if setting && setting == :any
-            ensure_enum setting
-          end
           def ensure_enum(v)
             return nil if v.nil?
             [v].flatten

data/lib/rack/cors/version.rb CHANGED

@@ -1,5 +1,5 @@
 module Rack
   class Cors
-    VERSION = "0.3.1"
+    VERSION = "0.4.0"
   end
 end

data/test/unit/cors_test.rb CHANGED

@@ -75,16 +75,28 @@ describe Rack::Cors do
     last_response.headers['Access-Control-Expose-Headers'].must_equal 'expose-test-1, expose-test-2'
   end
+  # Explanation: http://www.fastly.com/blog/best-practices-for-using-the-vary-header/
+  it "should add Vary header if resource matches even if Origin header isn't present" do
+    get '/'
+    should_render_cors_failure
+    last_response.headers['Vary'].must_equal 'Origin'
+  end
+  it "should add Vary header based on :vary option" do
+    cors_request '/vary_test'
+    last_response.headers['Vary'].must_equal 'Origin, Host'
+  end
   it 'should add Vary header if Access-Control-Allow-Origin header was added and if it is specific' do
     cors_request '/', :origin => "http://192.168.0.3:8080"
     last_response.headers['Access-Control-Allow-Origin'].must_equal 'http://192.168.0.3:8080'
     last_response.headers['Vary'].wont_be_nil
   end
-  it 'should not add Vary header if Access-Control-Allow-Origin header was added and if it is generic (*)' do
+  it 'should add Vary header even if Access-Control-Allow-Origin header was added and it is generic (*)' do
     cors_request '/public_without_credentials', :origin => "http://192.168.1.3:8080"
     last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
-    last_response.headers['Vary'].must_be_nil
+    last_response.headers['Vary'].must_equal 'Origin'
   end
   it 'should support multi allow configurations for the same resource' do
@@ -94,7 +106,7 @@ describe Rack::Cors do
     cors_request '/multi-allow-config', :origin => "http://192.168.1.3:8080"
     last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
-    last_response.headers['Vary'].must_be_nil
+    last_response.headers['Vary'].must_equal 'Origin'
   end
   it "should not return CORS headers on OPTIONS request if Access-Control-Allow-Origin is not present" do
@@ -102,7 +114,18 @@ describe Rack::Cors do
     last_response.headers['Access-Control-Allow-Origin'].must_be_nil
   end
-  describe 'logging' do
+  it "should not apply CORS headers if it does not match conditional on resource" do
+    header 'Origin', 'http://192.168.0.1:1234'
+    get '/conditional'
+    should_render_cors_failure
+  end
+  it "should apply CORS headers if it does match conditional on resource" do
+    header 'X-OK', '1'
+    cors_request '/conditional', :origin => 'http://192.168.0.1:1234'
+  end
+ describe 'logging' do
     it 'should not log debug messages if debug option is false' do
       app = mock
       app.stubs(:call).returns(200, {}, [''])
@@ -190,6 +213,11 @@ describe Rack::Cors do
       should_render_cors_success
     end
+    it 'should allow any method if methods = :any' do
+      preflight_request('http://localhost:3000', '/', :methods => :any)
+      should_render_cors_success
+    end
     it 'should allow header case insensitive match' do
       preflight_request('http://localhost:3000', '/single_header', :headers => 'X-Domain-Token')
       should_render_cors_success
@@ -244,6 +272,21 @@ describe Rack::Cors do
     end
   end
+  describe 'Rack::Lint' do
+    def app
+      @app ||= Rack::Builder.new do
+        use Rack::Cors
+        use Rack::Lint
+        run ->(env) { [200, {'Content-Type' => 'text/html'}, ['hello']] }
+      end
+    end
+    it 'is lint-compliant with non-CORS request' do
+      get '/'
+      last_response.status.must_equal 200
+    end
+  end
   protected
     def cors_request(*args)
       path = args.first.is_a?(String) ? args.first : '/'

data/test/unit/test.ru CHANGED

@@ -1,17 +1,20 @@
 require 'rack/cors'
 #use Rack::Cors, :debug => true, :logger => ::Logger.new(STDOUT) do
+use Rack::Lint
 use Rack::Cors do
   allow do
     origins 'localhost:3000', '127.0.0.1:3000', /http:\/\/192\.168\.0\.\d{1,3}(:\d+)?/, 'file://'
     resource '/get-only', :methods => :get
-    resource '/', :headers => :any
+    resource '/', :headers => :any, :methods => :any
     resource '/options', :methods => :options
     resource '/single_header', :headers => 'x-domain-token'
     resource '/two_headers', :headers => %w{x-domain-token x-requested-with}
     resource '/expose_single_header', :expose => 'expose-test'
     resource '/expose_multiple_headers', :expose => %w{expose-test-1 expose-test-2}
+    resource '/conditional', :methods => :get, :if => proc { |env| !!env['HTTP_X_OK'] }
+    resource '/vary_test', :methods => :get, :vary => %w{ Origin Host }
     # resource '/file/at/*',
     #     :methods => [:get, :post, :put, :delete],
     #     :headers => :any,

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-cors
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.0
 platform: ruby
 authors:
 - Calvin Yu
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-12-27 00:00:00.000000000 Z
+date: 2015-04-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -127,7 +127,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.2.2
+rubygems_version: 2.4.5
 signing_key:
 specification_version: 4
 summary: Middleware for enabling Cross-Origin Resource Sharing in Rack apps