rack-cors 0.4.0 → 0.4.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of rack-cors might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 7dff10b0f517624773d305e553e1f6720dc576ac
4
- data.tar.gz: 0919837eb9b79cedeb5c638ae9e9169ae4587dd6
3
+ metadata.gz: aaa518c3408420a39bd3c41bd822cdda6309beb2
4
+ data.tar.gz: 8fa4c9d5141e4d6c4df8600175f44ba6803ebe9f
5
5
  SHA512:
6
- metadata.gz: acf2fa484542085cd98d4e4eafd9a62d9bf38a156e67015829c1c58ba8b899866afb6489f5202122ad2f7b4f70e9bd0c69253590dfb7c52c43095168d67f79bd
7
- data.tar.gz: 3b40c2862c728310236da3070f061b040c8090068142ffe0decdd16d66f3cdf83e4520ccf07c6cde38bb43b95cd8e7d38d6f4cbb6a1e4d06d4eb2324901ff531
6
+ metadata.gz: 633c772b16e08fad8fb93a7d1bf5d62a398abb534a27ce0d44df843242c5e1077112e98b1eb7e2d3849da952fec1754cd2e8451195c1a2c86ac567d69652b859
7
+ data.tar.gz: 8e0265d2d82db72ac68871dcf0eaf974809638d5a52514f99392b731fe09050ab07968c5e538a35d7bba2b7892cc62b3d6b7b401fe8a05c4648f5ad57a092abf
@@ -0,0 +1,6 @@
1
+ language: ruby
2
+ sudo: false
3
+ rvm:
4
+ - 2.2.5
5
+ - 2.3.0
6
+ - 2.3.1
data/CHANGELOG CHANGED
@@ -1,6 +1,10 @@
1
1
  # Change Log
2
2
  All notable changes to this project will be documented in this file.
3
3
 
4
+ ## 0.4.1 - 2017-02-01
5
+ ### Fixed
6
+ - Return miss result in X-Rack-CORS instead of incorrectly returning preflight-hit
7
+
4
8
  ## 0.4.0 - 2015-04-15
5
9
  ### Changed
6
10
  - Don't set HTTP_ORIGIN with HTTP_X_ORIGIN if nil
data/Gemfile CHANGED
@@ -2,3 +2,5 @@ source 'https://rubygems.org'
2
2
 
3
3
  # Specify your gem's dependencies in rack-cors.gemspec
4
4
  gemspec
5
+
6
+ gem 'pry-byebug'
data/README.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # Rack CORS Middleware [![Build Status](https://travis-ci.org/cyu/rack-cors.svg?branch=master)](https://travis-ci.org/cyu/rack-cors)
2
2
 
3
- `Rack::Cors` provides support for Cross-Origin Resource Sharing (CORS) for Rack compatible web applications.
3
+ `Rack::Cors` provides support for Cross-Origin Resource Sharing (CORS) for Rack compatible web applications.
4
4
 
5
5
  The [CORS spec](http://www.w3.org/TR/cors/) allows web applications to make cross domain AJAX calls without using workarounds such as JSONP. See [Cross-domain Ajax with Cross-Origin Resource Sharing](http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/)
6
6
 
@@ -19,7 +19,43 @@ gem 'rack-cors', :require => 'rack/cors'
19
19
 
20
20
  ## Configuration
21
21
 
22
- ### Rack
22
+ ### Rails Configuration
23
+ Put something like the code below in `config/application.rb` of your Rails application. For example, this will allow GET, POST or OPTIONS requests from any origin on any resource.
24
+
25
+ ```ruby
26
+ module YourApp
27
+ class Application < Rails::Application
28
+
29
+ # ...
30
+
31
+ # Rails 3/4
32
+
33
+ config.middleware.insert_before 0, "Rack::Cors" do
34
+ allow do
35
+ origins '*'
36
+ resource '*', :headers => :any, :methods => [:get, :post, :options]
37
+ end
38
+ end
39
+
40
+ # Rails 5
41
+
42
+ config.middleware.insert_before 0, Rack::Cors do
43
+ allow do
44
+ origins '*'
45
+ resource '*', :headers => :any, :methods => [:get, :post, :options]
46
+ end
47
+ end
48
+
49
+ end
50
+ end
51
+ ```
52
+ Refer to [rails 3 example](https://github.com/cyu/rack-cors/tree/master/examples/rails3) and [rails 4 example](https://github.com/cyu/rack-cors/tree/master/examples/rails4) for more details.
53
+
54
+ See The [Rails Guide to Rack](http://guides.rubyonrails.org/rails_on_rack.html) for more details on rack middlewares or watch the [railscast](http://railscasts.com/episodes/151-rack-middleware).
55
+
56
+ ### Rack Configuration
57
+
58
+ NOTE: If you're running Rails, updating in `config/application.rb` should be enough. There is no need to update `config.ru` as well.
23
59
 
24
60
  In `config.ru`, configure `Rack::Cors` by passing a block to the `use` command:
25
61
 
@@ -27,12 +63,12 @@ In `config.ru`, configure `Rack::Cors` by passing a block to the `use` command:
27
63
  use Rack::Cors do
28
64
  allow do
29
65
  origins 'localhost:3000', '127.0.0.1:3000',
30
- /http:\/\/192\.168\.0\.\d{1,3}(:\d+)?/
66
+ /\Ahttp:\/\/192\.168\.0\.\d{1,3}(:\d+)?\z/
31
67
  # regular expressions can be used here
32
68
 
33
69
  resource '/file/list_all/', :headers => 'x-domain-token'
34
70
  resource '/file/at/*',
35
- :methods => [:get, :post, :put, :delete, :options],
71
+ :methods => [:get, :post, :delete, :put, :patch, :options, :head],
36
72
  :headers => 'x-domain-token',
37
73
  :expose => ['Some-Custom-Response-Header'],
38
74
  :max_age => 600
@@ -46,44 +82,28 @@ use Rack::Cors do
46
82
  end
47
83
  ```
48
84
 
49
- ### Rails
50
- Put something like the code below in `config/application.rb` of your Rails application. For example, this will allow GET, POST or OPTIONS requests from any origin on any resource.
51
-
52
- ```ruby
53
- module YourApp
54
- class Application < Rails::Application
55
-
56
- # ...
57
-
58
- config.middleware.insert_before 0, "Rack::Cors" do
59
- allow do
60
- origins '*'
61
- resource '*', :headers => :any, :methods => [:get, :post, :options]
62
- end
63
- end
64
-
65
- end
66
- end
67
- ```
68
- Refer to [rails 3 example](https://github.com/cyu/rack-cors/tree/master/examples/rails3) and [rails 4 example](https://github.com/cyu/rack-cors/tree/master/examples/rails4) for more details.
69
-
70
- See The [Rails Guide to Rack](http://guides.rubyonrails.org/rails_on_rack.html) for more details on rack middlewares or watch the [railscast](http://railscasts.com/episodes/151-rack-middleware.)
71
-
72
85
  ### Configuration Reference
73
86
 
74
87
  #### Middleware Options
75
88
  * **debug** (boolean): Enables debug logging and `X-Rack-CORS` HTTP headers for debugging.
76
- * **logger** (Object or Proc): Specify the logger to log to. If a proc is provided, it will be called when a logger is needed (this is helpful in cases where the logger is initialized after `Rack::Cors` is used, like `Rails.logger`.
89
+ * **logger** (Object or Proc): Specify the logger to log to. If a proc is provided, it will be called when a logger is needed. This is helpful in cases where the logger is initialized after `Rack::Cors` is initially configured, like `Rails.logger`.
77
90
 
78
91
  #### Origin
79
- Origins can be specified as a string, a regular expression, or as '*' to allow all origins.
92
+ Origins can be specified as a string, a regular expression, or as '\*' to allow all origins.
93
+
94
+ **\*SECURITY NOTE:** Be careful when using regular expressions to not accidentally be too inclusive. For example, the expression `/https:\/\/example\.com/` will match the domain *example.com.randomdomainname.co.uk*. It is recommended that any regular expression be enclosed with start & end string anchors (`\A\z`).
95
+
96
+ Additionally, origins can be specified dynamically via a block of the following form:
97
+ ```ruby
98
+ origins { |source, env| true || false }
99
+ ```
80
100
 
81
101
  #### Resource
82
- A Resource path can be specified as exact string match (`/path/to/file.txt`) or with a '*' wildcard (`/all/files/in/*`). A resource that take the following options:
102
+ A Resource path can be specified as exact string match (`/path/to/file.txt`) or with a '\*' wildcard (`/all/files/in/*`). A resource can take the following options:
83
103
 
84
- * **methods** (string or array): The HTTP methods allowed for the resource.
104
+ * **methods** (string or array or `:any`): The HTTP methods allowed for the resource.
85
105
  * **headers** (string or array or `:any`): The HTTP headers that will be allowed in the CORS resource request. Use `:any` to allow for any headers in the actual request.
86
- * **expose** (string or array): The HTTP headers in the resource response can can be exposed to the client.
106
+ * **expose** (string or array): The HTTP headers in the resource response can be exposed to the client.
87
107
  * **credentials** (boolean): Sets the `Access-Control-Allow-Credentials` response header.
88
108
  * **max_age** (number): Sets the `Access-Control-Max-Age` response header.
89
109
  * **if** (Proc): If the result of the proc is true, will process the request as a valid CORS request.
@@ -13,6 +13,7 @@ module Rack
13
13
  def initialize(app, opts={}, &block)
14
14
  @app = app
15
15
  @debug_mode = !!opts[:debug]
16
+ @logger = @logger_proc = nil
16
17
 
17
18
  if logger = opts[:logger]
18
19
  if logger.respond_to? :call
@@ -80,7 +81,14 @@ module Rack
80
81
  status, headers, body = @app.call env
81
82
 
82
83
  if add_headers
83
- headers = headers.merge(add_headers)
84
+ headers = add_headers.merge(headers)
85
+ debug(env) do
86
+ add_headers.each_pair do |key, value|
87
+ if headers.has_key?(key)
88
+ headers["X-Rack-CORS-Original-#{key}"] = value
89
+ end
90
+ end
91
+ end
84
92
  end
85
93
 
86
94
  # Vary header should ALWAYS mention Origin if there's ANY chance for the
@@ -232,7 +240,7 @@ module Rack
232
240
  preflight? ? 'preflight-hit' : 'hit'
233
241
  else
234
242
  [
235
- (preflight? ? 'preflight-miss' : 'preflight-hit'),
243
+ (preflight? ? 'preflight-miss' : 'miss'),
236
244
  miss_reason
237
245
  ].join('; ')
238
246
  end
@@ -253,7 +261,7 @@ module Rack
253
261
  /^https?:\/\//,
254
262
  'file://' then n
255
263
  when '*' then @public_resources = true; n
256
- else Regexp.compile("^[a-z][a-z0-9.+-]*:\\\/\\\/#{Regexp.quote(n)}")
264
+ else Regexp.compile("^[a-z][a-z0-9.+-]*:\\\/\\\/#{Regexp.quote(n)}$")
257
265
  end
258
266
  end.flatten
259
267
  @origins.push(blk) if blk
@@ -333,7 +341,6 @@ module Rack
333
341
  end
334
342
 
335
343
  def to_headers(env)
336
- x_origin = env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']
337
344
  h = {
338
345
  'Access-Control-Allow-Origin' => origin_for_response_header(env[ORIGIN_HEADER_KEY]),
339
346
  'Access-Control-Allow-Methods' => methods.collect{|m| m.to_s.upcase}.join(', '),
@@ -1,5 +1,5 @@
1
1
  module Rack
2
2
  class Cors
3
- VERSION = "0.4.0"
3
+ VERSION = "0.4.1"
4
4
  end
5
5
  end
@@ -1,4 +1,3 @@
1
- require 'rubygems'
2
1
  require 'minitest/autorun'
3
2
  require 'rack/test'
4
3
  require 'mocha/setup'
@@ -6,9 +5,11 @@ require 'rack/cors'
6
5
  require 'ostruct'
7
6
 
8
7
  Rack::Test::Session.class_eval do
9
- def options(uri, params = {}, env = {}, &block)
10
- env = env_for(uri, env.merge(:method => "OPTIONS", :params => params))
11
- process_request(uri, env, &block)
8
+ unless defined? :options
9
+ def options(uri, params = {}, env = {}, &block)
10
+ env = env_for(uri, env.merge(:method => "OPTIONS", :params => params))
11
+ process_request(uri, env, &block)
12
+ end
12
13
  end
13
14
  end
14
15
 
@@ -55,10 +56,20 @@ describe Rack::Cors do
55
56
  cors_request :origin => 'http://192.168.0.1:1234'
56
57
  end
57
58
 
59
+ it 'should support subdomain example' do
60
+ cors_request :origin => 'http://subdomain.example.com'
61
+ end
62
+
58
63
  it 'should support proc origins configuration' do
59
64
  cors_request '/proc-origin', :origin => 'http://10.10.10.10:3000'
60
65
  end
61
66
 
67
+ it 'should not mix up path rules across origins' do
68
+ header 'Origin', 'http://10.10.10.10:3000'
69
+ get '/' # / is configured in a separate rule block
70
+ should_render_cors_failure
71
+ end
72
+
62
73
  it 'should support alternative X-Origin header' do
63
74
  header 'X-Origin', 'http://localhost:3000'
64
75
  get '/'
@@ -287,6 +298,32 @@ describe Rack::Cors do
287
298
  end
288
299
  end
289
300
 
301
+ describe 'with app overriding CORS header' do
302
+ let(:app) do
303
+ Rack::Builder.new do
304
+ use Rack::Cors, debug: true, logger: Logger.new(StringIO.new) do
305
+ allow do
306
+ origins '*'
307
+ resource '/'
308
+ end
309
+ end
310
+ map('/') do
311
+ run ->(env) { [200, {'Content-Type' => 'text/plain', 'Access-Control-Allow-Origin' => 'http://foo.net'}, ['success']] }
312
+ end
313
+ end
314
+ end
315
+
316
+ it "should return app header" do
317
+ cors_request origin: "http://example.net"
318
+ last_response.headers['Access-Control-Allow-Origin'].must_equal "http://foo.net"
319
+ end
320
+
321
+ it "should return original headers if in debug" do
322
+ cors_request origin: "http://example.net"
323
+ last_response.headers['X-Rack-CORS-Original-Access-Control-Allow-Origin'].must_equal "http://example.net"
324
+ end
325
+ end
326
+
290
327
  protected
291
328
  def cors_request(*args)
292
329
  path = args.first.is_a?(String) ? args.first : '/'
@@ -4,7 +4,11 @@ require 'rack/cors'
4
4
  use Rack::Lint
5
5
  use Rack::Cors do
6
6
  allow do
7
- origins 'localhost:3000', '127.0.0.1:3000', /http:\/\/192\.168\.0\.\d{1,3}(:\d+)?/, 'file://'
7
+ origins 'localhost:3000',
8
+ '127.0.0.1:3000',
9
+ /http:\/\/192\.168\.0\.\d{1,3}(:\d+)?/,
10
+ 'file://',
11
+ /http:\/\/(.*?)\.example\.com/
8
12
 
9
13
  resource '/get-only', :methods => :get
10
14
  resource '/', :headers => :any, :methods => :any
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-cors
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.0
4
+ version: 0.4.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Calvin Yu
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-04-15 00:00:00.000000000 Z
11
+ date: 2017-02-01 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -89,6 +89,7 @@ executables: []
89
89
  extensions: []
90
90
  extra_rdoc_files: []
91
91
  files:
92
+ - ".travis.yml"
92
93
  - CHANGELOG
93
94
  - Gemfile
94
95
  - LICENSE.txt
@@ -127,7 +128,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
127
128
  version: '0'
128
129
  requirements: []
129
130
  rubyforge_project:
130
- rubygems_version: 2.4.5
131
+ rubygems_version: 2.5.2
131
132
  signing_key:
132
133
  specification_version: 4
133
134
  summary: Middleware for enabling Cross-Origin Resource Sharing in Rack apps