rack-cors 0.4.1 → 1.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: aaa518c3408420a39bd3c41bd822cdda6309beb2
-  data.tar.gz: 8fa4c9d5141e4d6c4df8600175f44ba6803ebe9f
+SHA256:
+  metadata.gz: a12cdfc5aca2abf0cf86fb1ca217619fa6b40cad19721118016e064554f46ba0
+  data.tar.gz: 2874199b748909fdfd3e8ec601bd8620bc0235e60c66226259a79ff2404dbaf8
 SHA512:
-  metadata.gz: 633c772b16e08fad8fb93a7d1bf5d62a398abb534a27ce0d44df843242c5e1077112e98b1eb7e2d3849da952fec1754cd2e8451195c1a2c86ac567d69652b859
-  data.tar.gz: 8e0265d2d82db72ac68871dcf0eaf974809638d5a52514f99392b731fe09050ab07968c5e538a35d7bba2b7892cc62b3d6b7b401fe8a05c4648f5ad57a092abf
+  metadata.gz: 2b71fe191ad396ab85e8c1966e979fa3516ee768bae6ed93fd1d43644eada8a455dbab00990ef22440ee7f82dab16a37b283897403d4eba674547bda1f0b86f5
+  data.tar.gz: a31481b3f6d9d45bdc522c444e923438f7f513a57796bf2cf6eaaa665d87f7479bf5f1e5f5ea8d380ce7194f0d3690823e1a681e55c17317cab29bf87b7a7303

data/.travis.yml

@@ -1,6 +1,8 @@
 language: ruby
 sudo: false
 rvm:
-  - 2.2.5
-  - 2.3.0
-  - 2.3.1
+  - 2.2
+  - 2.3
+  - 2.4
+  - 2.5
+  - 2.6

data/CHANGELOG.md

@@ -0,0 +1,73 @@
+# Change Log
+All notable changes to this project will be documented in this file.
+
+## 1.0.5 - 2019-11-14
+### Changed
+- Update Gem spec to require rack >= 1.6.0
+
+## 1.0.4 - 2019-11-13
+### Security
+- Escape and resolve path before evaluating resource rules (thanks to Colby Morgan)
+
+## 1.0.3 - 2019-03-24
+### Changed
+- Don't send 'Content-Type' header with pre-flight requests
+- Allow ruby array for  vary header config
+
+## 1.0.2 - 2017-10-22
+### Fixed
+- Automatically allow simple headers when headers are set
+
+## 1.0.1 - 2017-07-18
+### Fixed
+- Allow lambda origin configuration
+
+## 1.0.0 - 2017-07-15
+### Security
+- Don't implicitly accept 'null' origins when 'file://' is specified
+(https://github.com/cyu/rack-cors/pull/134)
+- Ignore '' origins (https://github.com/cyu/rack-cors/issues/139)
+- Default credentials option on resources to false
+(https://github.com/cyu/rack-cors/issues/95)
+- Don't allow credentials option to be true if '*' is specified is origin
+(https://github.com/cyu/rack-cors/pull/142)
+- Don't reflect Origin header when '*' is specified as origin
+(https://github.com/cyu/rack-cors/pull/142)
+
+### Fixed
+- Don't respond immediately on non-matching preflight requests instead of
+sending them through the app (https://github.com/cyu/rack-cors/pull/106)
+
+## 0.4.1 - 2017-02-01
+### Fixed
+- Return miss result in X-Rack-CORS instead of incorrectly returning
+preflight-hit
+
+## 0.4.0 - 2015-04-15
+### Changed
+- Don't set HTTP_ORIGIN with HTTP_X_ORIGIN if nil
+
+### Added
+- Calculate vary headers for non-CORS resources
+- Support custom vary headers for resource
+- Support :if option for resource
+- Support :any as a possible value for :methods option
+
+### Fixed
+- Don't symbolize incoming HTTP request methods
+
+## 0.3.1 - 2014-12-27
+### Changed
+- Changed the env key to rack.cors to avoid Rack::Lint warnings
+
+## 0.3.0 - 2014-10-19
+### Added
+- Added support for defining a logger with a Proc
+- Return a X-Rack-CORS header when in debug mode detailing how Rack::Cors
+processed a request
+- Added support for non HTTP/HTTPS origins when just a domain is specified
+
+### Changed
+- Changed the log level of the fallback logger to DEBUG
+- Print warning when attempting to use :any as an allowed method
+- Treat incoming `Origin: null` headers as file://

data/Gemfile

@@ -3,4 +3,4 @@ source 'https://rubygems.org'
 # Specify your gem's dependencies in rack-cors.gemspec
 gemspec
 
-gem 'pry-byebug'
+gem 'pry-byebug', '~> 3.6.0'

data/README.md

@@ -13,7 +13,7 @@ Install the gem:
 Or in your Gemfile:
 
 ```ruby
-gem 'rack-cors', :require => 'rack/cors'
+gem 'rack-cors'
 ```
 
 
@@ -25,31 +25,30 @@ Put something like the code below in `config/application.rb` of your Rails appli
 ```ruby
 module YourApp
   class Application < Rails::Application
-
     # ...
     
-    # Rails 3/4
+    # Rails 5
 
-    config.middleware.insert_before 0, "Rack::Cors" do
+    config.middleware.insert_before 0, Rack::Cors do
       allow do
         origins '*'
-        resource '*', :headers => :any, :methods => [:get, :post, :options]
+        resource '*', headers: :any, methods: [:get, :post, :options]
       end
     end
-    
-    # Rails 5
 
-    config.middleware.insert_before 0, Rack::Cors do
+    # Rails 3/4
+
+    config.middleware.insert_before 0, "Rack::Cors" do
       allow do
         origins '*'
-        resource '*', :headers => :any, :methods => [:get, :post, :options]
+        resource '*', headers: :any, methods: [:get, :post, :options]
       end
     end
-
   end
 end
 ```
-Refer to [rails 3 example](https://github.com/cyu/rack-cors/tree/master/examples/rails3) and [rails 4 example](https://github.com/cyu/rack-cors/tree/master/examples/rails4) for more details.
+
+We use `insert_before` to make sure `Rack::Cors` runs at the beginning of the stack to make sure it isn't interfered with by other middleware (see `Rack::Cache` note in **Common Gotchas** section). Check out the [rails 4 example](https://github.com/cyu/rack-cors/tree/master/examples/rails4) and [rails 3 example](https://github.com/cyu/rack-cors/tree/master/examples/rails3).
 
 See The [Rails Guide to Rack](http://guides.rubyonrails.org/rails_on_rack.html) for more details on rack middlewares or watch the [railscast](http://railscasts.com/episodes/151-rack-middleware).
 
@@ -68,16 +67,22 @@ use Rack::Cors do
 
     resource '/file/list_all/', :headers => 'x-domain-token'
     resource '/file/at/*',
-        :methods => [:get, :post, :delete, :put, :patch, :options, :head],
-        :headers => 'x-domain-token',
-        :expose  => ['Some-Custom-Response-Header'],
-        :max_age => 600
+        methods: [:get, :post, :delete, :put, :patch, :options, :head],
+        headers: 'x-domain-token',
+        expose: ['Some-Custom-Response-Header'],
+        max_age: 600
         # headers to expose
   end
 
   allow do
     origins '*'
-    resource '/public/*', :headers => :any, :methods => :get
+    resource '/public/*', headers: :any, methods: :get
+
+    # Only allow a request for a specific host
+    resource '/api/v1/*',
+        headers: :any,
+        methods: :get,
+        if: proc { |env| env['HTTP_HOST'] == 'api.example.com' }
   end
 end
 ```
@@ -98,13 +103,12 @@ Additionally, origins can be specified dynamically via a block of the following
   origins { |source, env| true || false }
 ```
 
-#### Resource
-A Resource path can be specified as exact string match (`/path/to/file.txt`) or with a '\*' wildcard (`/all/files/in/*`).  A resource can take the following options:
+A Resource path can be specified as exact string match (`/path/to/file.txt`) or with a '\*' wildcard (`/all/files/in/*`).  To include all of a directory's files and the files in its subdirectories, use this form: `/assets/**/*`.  A resource can take the following options:
 
 * **methods** (string or array or `:any`): The HTTP methods allowed for the resource.
 * **headers** (string or array or `:any`): The HTTP headers that will be allowed in the CORS resource request.  Use `:any` to allow for any headers in the actual request.
 * **expose** (string or array): The HTTP headers in the resource response can be exposed to the client.
-* **credentials** (boolean): Sets the `Access-Control-Allow-Credentials` response header.
+* **credentials** (boolean, default: `false`): Sets the `Access-Control-Allow-Credentials` response header. **Note:** If a wildcard (`*`) origin is specified, this option cannot be set to `true`.  Read this [security article](http://web-in-security.blogspot.de/2017/07/cors-misconfigurations-on-large-scale.html) for more information.
 * **max_age** (number): Sets the `Access-Control-Max-Age` response header.
 * **if** (Proc): If the result of the proc is true, will process the request as a valid CORS request.
 * **vary** (string or array): A list of HTTP headers to add to the 'Vary' header.

data/lib/rack/cors/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class Cors
-    VERSION = "0.4.1"
+    VERSION = "1.0.5"
   end
 end

data/lib/rack/cors.rb

@@ -2,13 +2,28 @@ require 'logger'
 
 module Rack
   class Cors
-    ENV_KEY = 'rack.cors'.freeze
+    HTTP_ORIGIN   = 'HTTP_ORIGIN'.freeze
+    HTTP_X_ORIGIN = 'HTTP_X_ORIGIN'.freeze
 
-    ORIGIN_HEADER_KEY     = 'HTTP_ORIGIN'.freeze
-    ORIGIN_X_HEADER_KEY   = 'HTTP_X_ORIGIN'.freeze
-    PATH_INFO_HEADER_KEY  = 'PATH_INFO'.freeze
-    VARY_HEADER_KEY       = 'Vary'.freeze
-    DEFAULT_VARY_HEADERS  = ['Origin'].freeze
+    HTTP_ACCESS_CONTROL_REQUEST_METHOD  = 'HTTP_ACCESS_CONTROL_REQUEST_METHOD'.freeze
+    HTTP_ACCESS_CONTROL_REQUEST_HEADERS = 'HTTP_ACCESS_CONTROL_REQUEST_HEADERS'.freeze
+
+    PATH_INFO      = 'PATH_INFO'.freeze
+    REQUEST_METHOD = 'REQUEST_METHOD'.freeze
+
+    RACK_LOGGER = 'rack.logger'.freeze
+    RACK_CORS   =
+    # retaining the old key for backwards compatibility
+    ENV_KEY     = 'rack.cors'.freeze
+
+    OPTIONS     = 'OPTIONS'.freeze
+    VARY        = 'Vary'.freeze
+
+    DEFAULT_VARY_HEADERS = ['Origin'].freeze
+
+    # All CORS routes need to accept CORS simple headers at all times
+    # {https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers}
+    CORS_SIMPLE_HEADERS = ['accept', 'accept-language', 'content-language', 'content-type'].freeze
 
     def initialize(app, opts={}, &block)
       @app = app
@@ -47,36 +62,38 @@ module Rack
     end
 
     def call(env)
-      env[ORIGIN_HEADER_KEY] ||= env[ORIGIN_X_HEADER_KEY] if env[ORIGIN_X_HEADER_KEY]
+      env[HTTP_ORIGIN] ||= env[HTTP_X_ORIGIN] if env[HTTP_X_ORIGIN]
+
+      path = evaluate_path(env)
 
       add_headers = nil
-      if env[ORIGIN_HEADER_KEY]
+      if env[HTTP_ORIGIN]
         debug(env) do
           [ 'Incoming Headers:',
-            "  Origin: #{env[ORIGIN_HEADER_KEY]}",
-            "  Access-Control-Request-Method: #{env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']}",
-            "  Access-Control-Request-Headers: #{env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}"
+            "  Origin: #{env[HTTP_ORIGIN]}",
+            "  Path-Info: #{path}",
+            "  Access-Control-Request-Method: #{env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]}",
+            "  Access-Control-Request-Headers: #{env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]}"
             ].join("\n")
         end
-        if env['REQUEST_METHOD'] == 'OPTIONS' and env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']
-          if headers = process_preflight(env)
-            debug(env) do
-              "Preflight Headers:\n" +
-                  headers.collect{|kv| "  #{kv.join(': ')}"}.join("\n")
-            end
-            return [200, headers, []]
+        if env[REQUEST_METHOD] == OPTIONS and env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
+          headers = process_preflight(env, path)
+          debug(env) do
+            "Preflight Headers:\n" +
+                headers.collect{|kv| "  #{kv.join(': ')}"}.join("\n")
           end
+          return [200, headers, []]
         else
-          add_headers = process_cors(env)
+          add_headers = process_cors(env, path)
         end
       else
         Result.miss(env, Result::MISS_NO_ORIGIN)
       end
 
       # This call must be done BEFORE calling the app because for some reason
-      # env[PATH_INFO_HEADER_KEY] gets changed after that and it won't match.
-      # (At least in rails 4.1.6)
-      vary_resource = resource_for_path(env[PATH_INFO_HEADER_KEY])
+      # env[PATH_INFO] gets changed after that and it won't match. (At least
+      # in rails 4.1.6)
+      vary_resource = resource_for_path(path)
 
       status, headers, body = @app.call env
 
@@ -95,16 +112,16 @@ module Rack
       # response to be different depending on the Origin header value.
       # Better explained here: http://www.fastly.com/blog/best-practices-for-using-the-vary-header/
       if vary_resource
-        vary = headers[VARY_HEADER_KEY]
+        vary = headers[VARY]
         cors_vary_headers = if vary_resource.vary_headers && vary_resource.vary_headers.any?
           vary_resource.vary_headers
         else
           DEFAULT_VARY_HEADERS
         end
-        headers[VARY_HEADER_KEY] = ((vary ? vary.split(/,\s*/) : []) + cors_vary_headers).uniq.join(', ')
+        headers[VARY] = ((vary ? ([vary].flatten.map { |v| v.split(/,\s*/) }.flatten) : []) + cors_vary_headers).uniq.join(', ')
       end
 
-      if debug? && result = env[ENV_KEY]
+      if debug? && result = env[RACK_CORS]
         result.append_header(headers)
       end
 
@@ -122,36 +139,41 @@ module Rack
           @logger_proc = nil
           logger_proc.call
 
-        elsif defined?(Rails) && Rails.logger
+        elsif defined?(Rails) && Rails.respond_to?(:logger) && Rails.logger
           Rails.logger
 
-        elsif env['rack.logger']
-          env['rack.logger']
+        elsif env[RACK_LOGGER]
+          env[RACK_LOGGER]
 
         else
           ::Logger.new(STDOUT).tap { |logger| logger.level = ::Logger::Severity::DEBUG }
         end
       end
 
+      def evaluate_path(env)
+        path = env[PATH_INFO]
+        path = Rack::Utils.clean_path_info(Rack::Utils.unescape_path(path)) if path
+        path
+      end
+
       def all_resources
         @all_resources ||= []
       end
 
-      def process_preflight(env)
-        resource, error = match_resource(env)
-        if resource
-          Result.preflight_hit(env)
-          preflight = resource.process_preflight(env)
-          preflight
+      def process_preflight(env, path)
+        result = Result.preflight(env)
 
-        else
-          Result.preflight_miss(env, error)
-          nil
+        resource, error = match_resource(path, env)
+        unless resource
+          result.miss(error)
+          return {}
         end
+
+        return resource.process_preflight(env, result)
       end
 
-      def process_cors(env)
-        resource, error = match_resource(env)
+      def process_cors(env, path)
+        resource, error = match_resource(path, env)
         if resource
           Result.hit(env)
           cors = resource.to_headers(env)
@@ -172,9 +194,8 @@ module Rack
         nil
       end
 
-      def match_resource(env)
-        path   = env[PATH_INFO_HEADER_KEY]
-        origin = env[ORIGIN_HEADER_KEY]
+      def match_resource(path, env)
+        origin = env[HTTP_ORIGIN]
 
         origin_matched = false
         all_resources.each do |r|
@@ -195,6 +216,10 @@ module Rack
         MISS_NO_ORIGIN = 'no-origin'.freeze
         MISS_NO_PATH   = 'no-path'.freeze
 
+        MISS_NO_METHOD   = 'no-method'.freeze
+        MISS_DENY_METHOD = 'deny-method'.freeze
+        MISS_DENY_HEADER = 'deny-header'.freeze
+
         attr_accessor :preflight, :hit, :miss_reason
 
         def hit?
@@ -205,11 +230,16 @@ module Rack
           !!preflight
         end
 
+        def miss(reason)
+          self.hit = false
+          self.miss_reason = reason
+        end
+
         def self.hit(env)
           r = Result.new
           r.preflight = false
           r.hit = true
-          env[ENV_KEY] = r
+          env[RACK_CORS] = r
         end
 
         def self.miss(env, reason)
@@ -217,23 +247,15 @@ module Rack
           r.preflight = false
           r.hit = false
           r.miss_reason = reason
-          env[ENV_KEY] = r
+          env[RACK_CORS] = r
         end
 
-        def self.preflight_hit(env)
+        def self.preflight(env)
           r = Result.new
           r.preflight = true
-          r.hit = true
-          env[ENV_KEY] = r
+          env[RACK_CORS] = r
         end
 
-        def self.preflight_miss(env, reason)
-          r = Result.new
-          r.preflight = true
-          r.hit = false
-          r.miss_reason = reason
-          env[ENV_KEY] = r
-        end
 
         def append_header(headers)
           headers[HEADER_KEY] = if hit?
@@ -248,6 +270,9 @@ module Rack
       end
 
       class Resources
+
+        attr_reader :resources
+
         def initialize
           @origins = []
           @resources = []
@@ -255,9 +280,10 @@ module Rack
         end
 
         def origins(*args, &blk)
-          @origins = args.flatten.collect do |n|
+          @origins = args.flatten.reject{ |s| s == '' }.map do |n|
             case n
-            when Regexp,
+            when Proc,
+                 Regexp,
                  /^https?:\/\//,
                  'file://'        then n
             when '*'              then @public_resources = true; n
@@ -278,13 +304,11 @@ module Rack
         def allow_origin?(source,env = {})
           return true if public_resources?
 
-          effective_source = (source == 'null' ? 'file://' : source)
-
           return !! @origins.detect do |origin|
             if origin.is_a?(Proc)
               origin.call(source,env)
             else
-              origin === effective_source
+              origin === source
             end
           end
         end
@@ -300,12 +324,21 @@ module Rack
       end
 
       class Resource
+        class CorsMisconfigurationError < StandardError
+          def message
+            "Allowing credentials for wildcard origins is insecure."\
+            " Please specify more restrictive origins or set 'credentials' to false in your CORS configuration."
+          end
+        end
+
         attr_accessor :path, :methods, :headers, :expose, :max_age, :credentials, :pattern, :if_proc, :vary_headers
 
         def initialize(public_resource, path, opts={})
+          raise CorsMisconfigurationError if public_resource && opts[:credentials] == true
+
           self.path         = path
-          self.credentials  = opts[:credentials].nil? ? true : opts[:credentials]
-          self.max_age      = opts[:max_age] || 1728000
+          self.credentials  = public_resource ? false : (opts[:credentials] == true)
+          self.max_age      = opts[:max_age] || 7200
           self.pattern      = compile(path)
           self.if_proc      = opts[:if]
           self.vary_headers = opts[:vary] && [opts[:vary]].flatten
@@ -323,7 +356,7 @@ module Rack
           else
             ensure_enum(opts[:methods]) || [:get]
           end.map{|e| e.to_s }
-          
+
           self.expose = opts[:expose] ? [opts[:expose]].flatten : nil
         end
 
@@ -335,14 +368,29 @@ module Rack
           matches_path?(path) && (if_proc.nil? || if_proc.call(env))
         end
 
-        def process_preflight(env)
-          return nil if invalid_method_request?(env) || invalid_headers_request?(env)
-          {'Content-Type' => 'text/plain'}.merge(to_preflight_headers(env))
+        def process_preflight(env, result)
+          headers = {}
+
+          request_method = env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
+          if request_method.nil?
+            result.miss(Result::MISS_NO_METHOD) and return headers
+          end
+          if !methods.include?(request_method.downcase)
+            result.miss(Result::MISS_DENY_METHOD) and return headers
+          end
+
+          request_headers = env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]
+          if request_headers && !allow_headers?(request_headers)
+            result.miss(Result::MISS_DENY_HEADER) and return headers
+          end
+
+          result.hit = true
+          headers.merge(to_preflight_headers(env))
         end
 
         def to_headers(env)
           h = {
-            'Access-Control-Allow-Origin'     => origin_for_response_header(env[ORIGIN_HEADER_KEY]),
+            'Access-Control-Allow-Origin'     => origin_for_response_header(env[HTTP_ORIGIN]),
             'Access-Control-Allow-Methods'    => methods.collect{|m| m.to_s.upcase}.join(', '),
             'Access-Control-Expose-Headers'   => expose.nil? ? '' : expose.join(', '),
             'Access-Control-Max-Age'          => max_age.to_s }
@@ -356,33 +404,27 @@ module Rack
           end
 
           def origin_for_response_header(origin)
-            return '*' if public_resource? && !credentials
+            return '*' if public_resource?
             origin
           end
 
           def to_preflight_headers(env)
             h = to_headers(env)
-            if env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']
-              h.merge!('Access-Control-Allow-Headers' => env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])
+            if env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]
+              h.merge!('Access-Control-Allow-Headers' => env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS])
             end
             h
           end
 
-          def invalid_method_request?(env)
-            request_method = env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']
-            request_method.nil? || !methods.include?(request_method.downcase)
-          end
-
-          def invalid_headers_request?(env)
-            request_headers = env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']
-            request_headers && !allow_headers?(request_headers)
-          end
-
           def allow_headers?(request_headers)
-            return false if headers.nil?
-            headers == :any || begin
-              request_headers = request_headers.split(/,\s*/) if request_headers.kind_of?(String)
-              request_headers.all?{|h| headers.include?(h.downcase)}
+            headers = self.headers || []
+            if headers == :any
+              return true
+            end
+            request_headers = request_headers.split(/,\s*/) if request_headers.kind_of?(String)
+            request_headers.all? do |header|
+              header = header.downcase
+              CORS_SIMPLE_HEADERS.include?(header) || headers.include?(header)
             end
           end
 

data/rack-cors.gemspec

@@ -8,7 +8,7 @@ Gem::Specification.new do |spec|
   spec.version       = Rack::Cors::VERSION
   spec.authors       = ["Calvin Yu"]
   spec.email         = ["me@sourcebender.com"]
-  spec.description   = %q{Middleware that will make Rack-based apps CORS compatible.  Read more here: http://blog.sourcebender.com/2010/06/09/introducin-rack-cors.html.  Fork the project here: https://github.com/cyu/rack-cors}
+  spec.description   = %q{Middleware that will make Rack-based apps CORS compatible. Fork the project here: https://github.com/cyu/rack-cors}
   spec.summary       = %q{Middleware for enabling Cross-Origin Resource Sharing in Rack apps}
   spec.homepage      = "https://github.com/cyu/rack-cors"
   spec.license       = "MIT"
@@ -18,9 +18,10 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
-  spec.add_development_dependency "bundler", "~> 1.3"
-  spec.add_development_dependency "rake"
-  spec.add_development_dependency "minitest", ">= 5.3.0"
-  spec.add_development_dependency "mocha", ">= 0.14.0"
-  spec.add_development_dependency "rack-test", ">= 0"
+  spec.add_dependency "rack", ">= 1.6.0"
+  spec.add_development_dependency "bundler", ">= 1.16.0", '< 3'
+  spec.add_development_dependency "rake", "~> 12.3.0"
+  spec.add_development_dependency "minitest", "~> 5.11.0"
+  spec.add_development_dependency "mocha", "~> 1.6.0"
+  spec.add_development_dependency "rack-test", "~> 1.1.0"
 end

data/test/cors/test.cors.coffee

@@ -1,4 +1,4 @@
-CORS_SERVER = 'cors-server:3000'
+CORS_SERVER = '127.0.0.1.xip.io:9292'
 
 describe 'CORS', ->
 
@@ -12,6 +12,11 @@ describe 'CORS', ->
       expect(data).to.eql('Hello world')
       done()
 
+  it 'should allow PATCH access to dynamic resource', (done) ->
+    $.ajax("http://#{CORS_SERVER}/", type: 'PATCH').done (data, textStatus, jqXHR) ->
+      expect(data).to.eql('Hello world')
+      done()
+
   it 'should allow HEAD access to dynamic resource', (done) ->
     $.ajax("http://#{CORS_SERVER}/", type: 'HEAD').done (data, textStatus, jqXHR) ->
       expect(jqXHR.status).to.eql(200)