rack-cors 0.4.0 → 0.4.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rack-cors might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.travis.yml +6 -0
- data/CHANGELOG +4 -0
- data/Gemfile +2 -0
- data/README.md +52 -32
- data/lib/rack/cors.rb +11 -4
- data/lib/rack/cors/version.rb +1 -1
- data/test/unit/cors_test.rb +41 -4
- data/test/unit/test.ru +5 -1
- metadata +4 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: aaa518c3408420a39bd3c41bd822cdda6309beb2
|
4
|
+
data.tar.gz: 8fa4c9d5141e4d6c4df8600175f44ba6803ebe9f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 633c772b16e08fad8fb93a7d1bf5d62a398abb534a27ce0d44df843242c5e1077112e98b1eb7e2d3849da952fec1754cd2e8451195c1a2c86ac567d69652b859
|
7
|
+
data.tar.gz: 8e0265d2d82db72ac68871dcf0eaf974809638d5a52514f99392b731fe09050ab07968c5e538a35d7bba2b7892cc62b3d6b7b401fe8a05c4648f5ad57a092abf
|
data/.travis.yml
ADDED
data/CHANGELOG
CHANGED
@@ -1,6 +1,10 @@
|
|
1
1
|
# Change Log
|
2
2
|
All notable changes to this project will be documented in this file.
|
3
3
|
|
4
|
+
## 0.4.1 - 2017-02-01
|
5
|
+
### Fixed
|
6
|
+
- Return miss result in X-Rack-CORS instead of incorrectly returning preflight-hit
|
7
|
+
|
4
8
|
## 0.4.0 - 2015-04-15
|
5
9
|
### Changed
|
6
10
|
- Don't set HTTP_ORIGIN with HTTP_X_ORIGIN if nil
|
data/Gemfile
CHANGED
data/README.md
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
# Rack CORS Middleware [![Build Status](https://travis-ci.org/cyu/rack-cors.svg?branch=master)](https://travis-ci.org/cyu/rack-cors)
|
2
2
|
|
3
|
-
`Rack::Cors` provides support for Cross-Origin Resource Sharing (CORS) for Rack compatible web applications.
|
3
|
+
`Rack::Cors` provides support for Cross-Origin Resource Sharing (CORS) for Rack compatible web applications.
|
4
4
|
|
5
5
|
The [CORS spec](http://www.w3.org/TR/cors/) allows web applications to make cross domain AJAX calls without using workarounds such as JSONP. See [Cross-domain Ajax with Cross-Origin Resource Sharing](http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/)
|
6
6
|
|
@@ -19,7 +19,43 @@ gem 'rack-cors', :require => 'rack/cors'
|
|
19
19
|
|
20
20
|
## Configuration
|
21
21
|
|
22
|
-
###
|
22
|
+
### Rails Configuration
|
23
|
+
Put something like the code below in `config/application.rb` of your Rails application. For example, this will allow GET, POST or OPTIONS requests from any origin on any resource.
|
24
|
+
|
25
|
+
```ruby
|
26
|
+
module YourApp
|
27
|
+
class Application < Rails::Application
|
28
|
+
|
29
|
+
# ...
|
30
|
+
|
31
|
+
# Rails 3/4
|
32
|
+
|
33
|
+
config.middleware.insert_before 0, "Rack::Cors" do
|
34
|
+
allow do
|
35
|
+
origins '*'
|
36
|
+
resource '*', :headers => :any, :methods => [:get, :post, :options]
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
40
|
+
# Rails 5
|
41
|
+
|
42
|
+
config.middleware.insert_before 0, Rack::Cors do
|
43
|
+
allow do
|
44
|
+
origins '*'
|
45
|
+
resource '*', :headers => :any, :methods => [:get, :post, :options]
|
46
|
+
end
|
47
|
+
end
|
48
|
+
|
49
|
+
end
|
50
|
+
end
|
51
|
+
```
|
52
|
+
Refer to [rails 3 example](https://github.com/cyu/rack-cors/tree/master/examples/rails3) and [rails 4 example](https://github.com/cyu/rack-cors/tree/master/examples/rails4) for more details.
|
53
|
+
|
54
|
+
See The [Rails Guide to Rack](http://guides.rubyonrails.org/rails_on_rack.html) for more details on rack middlewares or watch the [railscast](http://railscasts.com/episodes/151-rack-middleware).
|
55
|
+
|
56
|
+
### Rack Configuration
|
57
|
+
|
58
|
+
NOTE: If you're running Rails, updating in `config/application.rb` should be enough. There is no need to update `config.ru` as well.
|
23
59
|
|
24
60
|
In `config.ru`, configure `Rack::Cors` by passing a block to the `use` command:
|
25
61
|
|
@@ -27,12 +63,12 @@ In `config.ru`, configure `Rack::Cors` by passing a block to the `use` command:
|
|
27
63
|
use Rack::Cors do
|
28
64
|
allow do
|
29
65
|
origins 'localhost:3000', '127.0.0.1:3000',
|
30
|
-
|
66
|
+
/\Ahttp:\/\/192\.168\.0\.\d{1,3}(:\d+)?\z/
|
31
67
|
# regular expressions can be used here
|
32
68
|
|
33
69
|
resource '/file/list_all/', :headers => 'x-domain-token'
|
34
70
|
resource '/file/at/*',
|
35
|
-
:methods => [:get, :post, :put, :
|
71
|
+
:methods => [:get, :post, :delete, :put, :patch, :options, :head],
|
36
72
|
:headers => 'x-domain-token',
|
37
73
|
:expose => ['Some-Custom-Response-Header'],
|
38
74
|
:max_age => 600
|
@@ -46,44 +82,28 @@ use Rack::Cors do
|
|
46
82
|
end
|
47
83
|
```
|
48
84
|
|
49
|
-
### Rails
|
50
|
-
Put something like the code below in `config/application.rb` of your Rails application. For example, this will allow GET, POST or OPTIONS requests from any origin on any resource.
|
51
|
-
|
52
|
-
```ruby
|
53
|
-
module YourApp
|
54
|
-
class Application < Rails::Application
|
55
|
-
|
56
|
-
# ...
|
57
|
-
|
58
|
-
config.middleware.insert_before 0, "Rack::Cors" do
|
59
|
-
allow do
|
60
|
-
origins '*'
|
61
|
-
resource '*', :headers => :any, :methods => [:get, :post, :options]
|
62
|
-
end
|
63
|
-
end
|
64
|
-
|
65
|
-
end
|
66
|
-
end
|
67
|
-
```
|
68
|
-
Refer to [rails 3 example](https://github.com/cyu/rack-cors/tree/master/examples/rails3) and [rails 4 example](https://github.com/cyu/rack-cors/tree/master/examples/rails4) for more details.
|
69
|
-
|
70
|
-
See The [Rails Guide to Rack](http://guides.rubyonrails.org/rails_on_rack.html) for more details on rack middlewares or watch the [railscast](http://railscasts.com/episodes/151-rack-middleware.)
|
71
|
-
|
72
85
|
### Configuration Reference
|
73
86
|
|
74
87
|
#### Middleware Options
|
75
88
|
* **debug** (boolean): Enables debug logging and `X-Rack-CORS` HTTP headers for debugging.
|
76
|
-
* **logger** (Object or Proc): Specify the logger to log to. If a proc is provided, it will be called when a logger is needed
|
89
|
+
* **logger** (Object or Proc): Specify the logger to log to. If a proc is provided, it will be called when a logger is needed. This is helpful in cases where the logger is initialized after `Rack::Cors` is initially configured, like `Rails.logger`.
|
77
90
|
|
78
91
|
#### Origin
|
79
|
-
Origins can be specified as a string, a regular expression, or as '
|
92
|
+
Origins can be specified as a string, a regular expression, or as '\*' to allow all origins.
|
93
|
+
|
94
|
+
**\*SECURITY NOTE:** Be careful when using regular expressions to not accidentally be too inclusive. For example, the expression `/https:\/\/example\.com/` will match the domain *example.com.randomdomainname.co.uk*. It is recommended that any regular expression be enclosed with start & end string anchors (`\A\z`).
|
95
|
+
|
96
|
+
Additionally, origins can be specified dynamically via a block of the following form:
|
97
|
+
```ruby
|
98
|
+
origins { |source, env| true || false }
|
99
|
+
```
|
80
100
|
|
81
101
|
#### Resource
|
82
|
-
A Resource path can be specified as exact string match (`/path/to/file.txt`) or with a '
|
102
|
+
A Resource path can be specified as exact string match (`/path/to/file.txt`) or with a '\*' wildcard (`/all/files/in/*`). A resource can take the following options:
|
83
103
|
|
84
|
-
* **methods** (string or array): The HTTP methods allowed for the resource.
|
104
|
+
* **methods** (string or array or `:any`): The HTTP methods allowed for the resource.
|
85
105
|
* **headers** (string or array or `:any`): The HTTP headers that will be allowed in the CORS resource request. Use `:any` to allow for any headers in the actual request.
|
86
|
-
* **expose** (string or array): The HTTP headers in the resource response can
|
106
|
+
* **expose** (string or array): The HTTP headers in the resource response can be exposed to the client.
|
87
107
|
* **credentials** (boolean): Sets the `Access-Control-Allow-Credentials` response header.
|
88
108
|
* **max_age** (number): Sets the `Access-Control-Max-Age` response header.
|
89
109
|
* **if** (Proc): If the result of the proc is true, will process the request as a valid CORS request.
|
data/lib/rack/cors.rb
CHANGED
@@ -13,6 +13,7 @@ module Rack
|
|
13
13
|
def initialize(app, opts={}, &block)
|
14
14
|
@app = app
|
15
15
|
@debug_mode = !!opts[:debug]
|
16
|
+
@logger = @logger_proc = nil
|
16
17
|
|
17
18
|
if logger = opts[:logger]
|
18
19
|
if logger.respond_to? :call
|
@@ -80,7 +81,14 @@ module Rack
|
|
80
81
|
status, headers, body = @app.call env
|
81
82
|
|
82
83
|
if add_headers
|
83
|
-
headers =
|
84
|
+
headers = add_headers.merge(headers)
|
85
|
+
debug(env) do
|
86
|
+
add_headers.each_pair do |key, value|
|
87
|
+
if headers.has_key?(key)
|
88
|
+
headers["X-Rack-CORS-Original-#{key}"] = value
|
89
|
+
end
|
90
|
+
end
|
91
|
+
end
|
84
92
|
end
|
85
93
|
|
86
94
|
# Vary header should ALWAYS mention Origin if there's ANY chance for the
|
@@ -232,7 +240,7 @@ module Rack
|
|
232
240
|
preflight? ? 'preflight-hit' : 'hit'
|
233
241
|
else
|
234
242
|
[
|
235
|
-
(preflight? ? 'preflight-miss' : '
|
243
|
+
(preflight? ? 'preflight-miss' : 'miss'),
|
236
244
|
miss_reason
|
237
245
|
].join('; ')
|
238
246
|
end
|
@@ -253,7 +261,7 @@ module Rack
|
|
253
261
|
/^https?:\/\//,
|
254
262
|
'file://' then n
|
255
263
|
when '*' then @public_resources = true; n
|
256
|
-
else Regexp.compile("^[a-z][a-z0-9.+-]*:\\\/\\\/#{Regexp.quote(n)}")
|
264
|
+
else Regexp.compile("^[a-z][a-z0-9.+-]*:\\\/\\\/#{Regexp.quote(n)}$")
|
257
265
|
end
|
258
266
|
end.flatten
|
259
267
|
@origins.push(blk) if blk
|
@@ -333,7 +341,6 @@ module Rack
|
|
333
341
|
end
|
334
342
|
|
335
343
|
def to_headers(env)
|
336
|
-
x_origin = env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']
|
337
344
|
h = {
|
338
345
|
'Access-Control-Allow-Origin' => origin_for_response_header(env[ORIGIN_HEADER_KEY]),
|
339
346
|
'Access-Control-Allow-Methods' => methods.collect{|m| m.to_s.upcase}.join(', '),
|
data/lib/rack/cors/version.rb
CHANGED
data/test/unit/cors_test.rb
CHANGED
@@ -1,4 +1,3 @@
|
|
1
|
-
require 'rubygems'
|
2
1
|
require 'minitest/autorun'
|
3
2
|
require 'rack/test'
|
4
3
|
require 'mocha/setup'
|
@@ -6,9 +5,11 @@ require 'rack/cors'
|
|
6
5
|
require 'ostruct'
|
7
6
|
|
8
7
|
Rack::Test::Session.class_eval do
|
9
|
-
|
10
|
-
|
11
|
-
|
8
|
+
unless defined? :options
|
9
|
+
def options(uri, params = {}, env = {}, &block)
|
10
|
+
env = env_for(uri, env.merge(:method => "OPTIONS", :params => params))
|
11
|
+
process_request(uri, env, &block)
|
12
|
+
end
|
12
13
|
end
|
13
14
|
end
|
14
15
|
|
@@ -55,10 +56,20 @@ describe Rack::Cors do
|
|
55
56
|
cors_request :origin => 'http://192.168.0.1:1234'
|
56
57
|
end
|
57
58
|
|
59
|
+
it 'should support subdomain example' do
|
60
|
+
cors_request :origin => 'http://subdomain.example.com'
|
61
|
+
end
|
62
|
+
|
58
63
|
it 'should support proc origins configuration' do
|
59
64
|
cors_request '/proc-origin', :origin => 'http://10.10.10.10:3000'
|
60
65
|
end
|
61
66
|
|
67
|
+
it 'should not mix up path rules across origins' do
|
68
|
+
header 'Origin', 'http://10.10.10.10:3000'
|
69
|
+
get '/' # / is configured in a separate rule block
|
70
|
+
should_render_cors_failure
|
71
|
+
end
|
72
|
+
|
62
73
|
it 'should support alternative X-Origin header' do
|
63
74
|
header 'X-Origin', 'http://localhost:3000'
|
64
75
|
get '/'
|
@@ -287,6 +298,32 @@ describe Rack::Cors do
|
|
287
298
|
end
|
288
299
|
end
|
289
300
|
|
301
|
+
describe 'with app overriding CORS header' do
|
302
|
+
let(:app) do
|
303
|
+
Rack::Builder.new do
|
304
|
+
use Rack::Cors, debug: true, logger: Logger.new(StringIO.new) do
|
305
|
+
allow do
|
306
|
+
origins '*'
|
307
|
+
resource '/'
|
308
|
+
end
|
309
|
+
end
|
310
|
+
map('/') do
|
311
|
+
run ->(env) { [200, {'Content-Type' => 'text/plain', 'Access-Control-Allow-Origin' => 'http://foo.net'}, ['success']] }
|
312
|
+
end
|
313
|
+
end
|
314
|
+
end
|
315
|
+
|
316
|
+
it "should return app header" do
|
317
|
+
cors_request origin: "http://example.net"
|
318
|
+
last_response.headers['Access-Control-Allow-Origin'].must_equal "http://foo.net"
|
319
|
+
end
|
320
|
+
|
321
|
+
it "should return original headers if in debug" do
|
322
|
+
cors_request origin: "http://example.net"
|
323
|
+
last_response.headers['X-Rack-CORS-Original-Access-Control-Allow-Origin'].must_equal "http://example.net"
|
324
|
+
end
|
325
|
+
end
|
326
|
+
|
290
327
|
protected
|
291
328
|
def cors_request(*args)
|
292
329
|
path = args.first.is_a?(String) ? args.first : '/'
|
data/test/unit/test.ru
CHANGED
@@ -4,7 +4,11 @@ require 'rack/cors'
|
|
4
4
|
use Rack::Lint
|
5
5
|
use Rack::Cors do
|
6
6
|
allow do
|
7
|
-
origins 'localhost:3000',
|
7
|
+
origins 'localhost:3000',
|
8
|
+
'127.0.0.1:3000',
|
9
|
+
/http:\/\/192\.168\.0\.\d{1,3}(:\d+)?/,
|
10
|
+
'file://',
|
11
|
+
/http:\/\/(.*?)\.example\.com/
|
8
12
|
|
9
13
|
resource '/get-only', :methods => :get
|
10
14
|
resource '/', :headers => :any, :methods => :any
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack-cors
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.4.
|
4
|
+
version: 0.4.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Calvin Yu
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2017-02-01 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -89,6 +89,7 @@ executables: []
|
|
89
89
|
extensions: []
|
90
90
|
extra_rdoc_files: []
|
91
91
|
files:
|
92
|
+
- ".travis.yml"
|
92
93
|
- CHANGELOG
|
93
94
|
- Gemfile
|
94
95
|
- LICENSE.txt
|
@@ -127,7 +128,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
127
128
|
version: '0'
|
128
129
|
requirements: []
|
129
130
|
rubyforge_project:
|
130
|
-
rubygems_version: 2.
|
131
|
+
rubygems_version: 2.5.2
|
131
132
|
signing_key:
|
132
133
|
specification_version: 4
|
133
134
|
summary: Middleware for enabling Cross-Origin Resource Sharing in Rack apps
|