rack-cors 0.4.1 → 2.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: aaa518c3408420a39bd3c41bd822cdda6309beb2
-  data.tar.gz: 8fa4c9d5141e4d6c4df8600175f44ba6803ebe9f
+SHA256:
+  metadata.gz: f47b5b2ba34721795ddb1c65e70e989134655e7f47116dd977edee702a79f41f
+  data.tar.gz: 7c03dc701b00b7418ab4d733872fccc3522392f0f85014b8ca25045767d866a9
 SHA512:
-  metadata.gz: 633c772b16e08fad8fb93a7d1bf5d62a398abb534a27ce0d44df843242c5e1077112e98b1eb7e2d3849da952fec1754cd2e8451195c1a2c86ac567d69652b859
-  data.tar.gz: 8e0265d2d82db72ac68871dcf0eaf974809638d5a52514f99392b731fe09050ab07968c5e538a35d7bba2b7892cc62b3d6b7b401fe8a05c4648f5ad57a092abf
+  metadata.gz: d5a94b8f282fd5367e125f4b49e18ce5fb1c07581d89b2d50dc8cf4eb70e8404d97c78a6ccaf90f1e41f0f220bb09ff9dd07a4677559935cc35256674e6c512d
+  data.tar.gz: bee187e2dc53281d8b454df32b6a8fd50e05b66de4f25649d74f176abf29d52eb4cee5a2b2e602e087c5f5805b6dd55ab86a9e0692d3d82c5538e0c30e3c020b

data/.github/workflows/ci.yaml

@@ -0,0 +1,39 @@
+name: ci
+
+on:
+  - push
+  - pull_request
+
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby:
+          - "2.3"
+          - "2.4"
+          - "2.5"
+          - "2.6"
+          - "2.7"
+          - "3.0"
+          - "3.1"
+          - "3.2"
+          - truffleruby-head
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+      - run: bundle exec rake test
+
+  rubocop:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.2.1
+          bundler-cache: true
+      - run: bundle exec rubocop

data/.rubocop.yml

@@ -0,0 +1,31 @@
+---
+AllCops:
+  Exclude:
+    - "examples/**/*"
+    - "vendor/**/*"
+
+# Disables
+Layout/LineLength:
+  Enabled: false
+Style/Documentation:
+  Enabled: false
+Metrics/ClassLength:
+  Enabled: false
+Metrics/MethodLength:
+  Enabled: false
+Metrics/BlockLength:
+  Enabled: false
+Style/HashEachMethods:
+  Enabled: false
+Style/HashTransformKeys:
+  Enabled: false
+Style/HashTransformValues:
+  Enabled: false
+Style/DoubleNegation:
+  Enabled: false
+Metrics/CyclomaticComplexity:
+  Enabled: false
+Metrics/PerceivedComplexity:
+  Enabled: false
+Metrics/AbcSize:
+  Enabled: false

data/CHANGELOG.md

@@ -0,0 +1,99 @@
+# Change Log
+All notable changes to this project will be documented in this file.
+
+## 2.0.1 - 2023-02-17
+### Changed
+- Use Rack::Utils::HeaderHash when Rack 2.x is detected
+
+## 2.0.0 - 2023-02-14
+### Changed
+- Refactored codebase
+- Support declaring custom protocols in origin
+- Lowercased header names as defined by Rack spec
+- Fix issue with duplicate headers because of header name case
+
+## 1.1.1 - 2019-12-29
+### Changed
+- Allow /<resource>/* to match /<resource>/ and /<resource> paths
+
+## 1.1.0 - 2019-11-19
+### Changed
+- Use Rack::Utils.escape_path instead of Rack::Utils.escape
+- Require Rack 2.0 for escape_path method
+- Don't try to clean path if invalid.
+- Return 400 (Bad Request) on preflights with invalid path
+
+## 1.0.6 - 2019-11-14
+### Changed
+- Use Rack::Utils.escape to make compat with Rack 1.6.0
+
+## 1.0.5 - 2019-11-14
+### Changed
+- Update Gem spec to require rack >= 1.6.0
+
+## 1.0.4 - 2019-11-13
+### Security
+- Escape and resolve path before evaluating resource rules (thanks to Colby Morgan)
+
+## 1.0.3 - 2019-03-24
+### Changed
+- Don't send 'Content-Type' header with pre-flight requests
+- Allow ruby array for  vary header config
+
+## 1.0.2 - 2017-10-22
+### Fixed
+- Automatically allow simple headers when headers are set
+
+## 1.0.1 - 2017-07-18
+### Fixed
+- Allow lambda origin configuration
+
+## 1.0.0 - 2017-07-15
+### Security
+- Don't implicitly accept 'null' origins when 'file://' is specified
+(https://github.com/cyu/rack-cors/pull/134)
+- Ignore '' origins (https://github.com/cyu/rack-cors/issues/139)
+- Default credentials option on resources to false
+(https://github.com/cyu/rack-cors/issues/95)
+- Don't allow credentials option to be true if '*' is specified is origin
+(https://github.com/cyu/rack-cors/pull/142)
+- Don't reflect Origin header when '*' is specified as origin
+(https://github.com/cyu/rack-cors/pull/142)
+
+### Fixed
+- Don't respond immediately on non-matching preflight requests instead of
+sending them through the app (https://github.com/cyu/rack-cors/pull/106)
+
+## 0.4.1 - 2017-02-01
+### Fixed
+- Return miss result in X-Rack-CORS instead of incorrectly returning
+preflight-hit
+
+## 0.4.0 - 2015-04-15
+### Changed
+- Don't set HTTP_ORIGIN with HTTP_X_ORIGIN if nil
+
+### Added
+- Calculate vary headers for non-CORS resources
+- Support custom vary headers for resource
+- Support :if option for resource
+- Support :any as a possible value for :methods option
+
+### Fixed
+- Don't symbolize incoming HTTP request methods
+
+## 0.3.1 - 2014-12-27
+### Changed
+- Changed the env key to rack.cors to avoid Rack::Lint warnings
+
+## 0.3.0 - 2014-10-19
+### Added
+- Added support for defining a logger with a Proc
+- Return a X-Rack-CORS header when in debug mode detailing how Rack::Cors
+processed a request
+- Added support for non HTTP/HTTPS origins when just a domain is specified
+
+### Changed
+- Changed the log level of the fallback logger to DEBUG
+- Print warning when attempting to use :any as an allowed method
+- Treat incoming `Origin: null` headers as file://

data/Gemfile

@@ -1,6 +1,8 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 
 # Specify your gem's dependencies in rack-cors.gemspec
 gemspec
 
-gem 'pry-byebug'
+gem 'pry-byebug', '~> 3.6.0'

data/README.md

@@ -1,8 +1,8 @@
-# Rack CORS Middleware [![Build Status](https://travis-ci.org/cyu/rack-cors.svg?branch=master)](https://travis-ci.org/cyu/rack-cors)
+# Rack CORS Middleware [![Build Status](https://github.com/cyu/rack-cors/actions/workflows/ci.yaml/badge.svg)](https://github.com/cyu/rack-cors/actions)
 
 `Rack::Cors` provides support for Cross-Origin Resource Sharing (CORS) for Rack compatible web applications.
 
-The [CORS spec](http://www.w3.org/TR/cors/) allows web applications to make cross domain AJAX calls without using workarounds such as JSONP. See [Cross-domain Ajax with Cross-Origin Resource Sharing](http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/)
+The [CORS spec](http://www.w3.org/TR/cors/) allows web applications to make cross domain AJAX calls without using workarounds such as JSONP. See [further explanations on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)
 
 ## Installation
 
@@ -13,49 +13,43 @@ Install the gem:
 Or in your Gemfile:
 
 ```ruby
-gem 'rack-cors', :require => 'rack/cors'
+gem 'rack-cors'
 ```
 
 
 ## Configuration
 
 ### Rails Configuration
-Put something like the code below in `config/application.rb` of your Rails application. For example, this will allow GET, POST or OPTIONS requests from any origin on any resource.
+For Rails, you'll need to add this middleware on application startup. A practical way to do this is with an initializer file. For example, the following will allow GET, POST, PATCH, or PUT requests from any origin on any resource:
 
 ```ruby
-module YourApp
-  class Application < Rails::Application
-
-    # ...
-    
-    # Rails 3/4
-
-    config.middleware.insert_before 0, "Rack::Cors" do
-      allow do
-        origins '*'
-        resource '*', :headers => :any, :methods => [:get, :post, :options]
-      end
-    end
-    
-    # Rails 5
-
-    config.middleware.insert_before 0, Rack::Cors do
-      allow do
-        origins '*'
-        resource '*', :headers => :any, :methods => [:get, :post, :options]
-      end
-    end
+# config/initializers/cors.rb
 
+Rails.application.config.middleware.insert_before 0, Rack::Cors do
+  allow do
+    origins '*'
+    resource '*', headers: :any, methods: [:get, :post, :patch, :put]
   end
 end
 ```
-Refer to [rails 3 example](https://github.com/cyu/rack-cors/tree/master/examples/rails3) and [rails 4 example](https://github.com/cyu/rack-cors/tree/master/examples/rails4) for more details.
+
+NOTE: If you create application with `--api` option, configuration automatically generate in `config/initializers/cors.rb`.
+
+We use `insert_before` to make sure `Rack::Cors` runs at the beginning of the stack to make sure it isn't interfered with by other middleware (see `Rack::Cache` note in **Common Gotchas** section). Basic setup examples for Rails 5 & Rails 6 can be found in the examples/ directory.
 
 See The [Rails Guide to Rack](http://guides.rubyonrails.org/rails_on_rack.html) for more details on rack middlewares or watch the [railscast](http://railscasts.com/episodes/151-rack-middleware).
 
+*Note about Rails 6*: Rails 6 has support for blocking requests from unknown hosts, so origin domains will need to be added there as well.
+
+```ruby
+Rails.application.config.hosts << "product.com"
+```
+
+Read more about it here in the [Rails Guides](https://guides.rubyonrails.org/configuring.html#configuring-middleware)
+
 ### Rack Configuration
 
-NOTE: If you're running Rails, updating in `config/application.rb` should be enough.  There is no need to update `config.ru` as well.
+NOTE: If you're running Rails, adding `config/initializers/cors.rb` should be enough.  There is no need to update `config.ru` as well.
 
 In `config.ru`, configure `Rack::Cors` by passing a block to the `use` command:
 
@@ -68,16 +62,22 @@ use Rack::Cors do
 
     resource '/file/list_all/', :headers => 'x-domain-token'
     resource '/file/at/*',
-        :methods => [:get, :post, :delete, :put, :patch, :options, :head],
-        :headers => 'x-domain-token',
-        :expose  => ['Some-Custom-Response-Header'],
-        :max_age => 600
+        methods: [:get, :post, :delete, :put, :patch, :options, :head],
+        headers: 'x-domain-token',
+        expose: ['Some-Custom-Response-Header'],
+        max_age: 600
         # headers to expose
   end
 
   allow do
     origins '*'
-    resource '/public/*', :headers => :any, :methods => :get
+    resource '/public/*', headers: :any, methods: :get
+
+    # Only allow a request for a specific host
+    resource '/api/v1/*',
+        headers: :any,
+        methods: :get,
+        if: proc { |env| env['HTTP_HOST'] == 'api.example.com' }
   end
 end
 ```
@@ -91,20 +91,19 @@ end
 #### Origin
 Origins can be specified as a string, a regular expression, or as '\*' to allow all origins.
 
-**\*SECURITY NOTE:** Be careful when using regular expressions to not accidentally be too inclusive.  For example, the expression `/https:\/\/example\.com/` will match the domain *example.com.randomdomainname.co.uk*.  It is recommended that any regular expression be enclosed with start & end string anchors (`\A\z`).
+**\*SECURITY NOTE:** Be careful when using regular expressions to not accidentally be too inclusive.  For example, the expression `/https:\/\/example\.com/` will match the domain *example.com.randomdomainname.co.uk*.  It is recommended that any regular expression be enclosed with start & end string anchors, like `\Ahttps:\/\/example\.com\z`.
 
 Additionally, origins can be specified dynamically via a block of the following form:
 ```ruby
   origins { |source, env| true || false }
 ```
 
-#### Resource
 A Resource path can be specified as exact string match (`/path/to/file.txt`) or with a '\*' wildcard (`/all/files/in/*`).  A resource can take the following options:
 
 * **methods** (string or array or `:any`): The HTTP methods allowed for the resource.
 * **headers** (string or array or `:any`): The HTTP headers that will be allowed in the CORS resource request.  Use `:any` to allow for any headers in the actual request.
 * **expose** (string or array): The HTTP headers in the resource response can be exposed to the client.
-* **credentials** (boolean): Sets the `Access-Control-Allow-Credentials` response header.
+* **credentials** (boolean, default: `false`): Sets the `Access-Control-Allow-Credentials` response header. **Note:** If a wildcard (`*`) origin is specified, this option cannot be set to `true`.  Read this [security article](http://web-in-security.blogspot.de/2017/07/cors-misconfigurations-on-large-scale.html) for more information.
 * **max_age** (number): Sets the `Access-Control-Max-Age` response header.
 * **if** (Proc): If the result of the proc is true, will process the request as a valid CORS request.
 * **vary** (string or array): A list of HTTP headers to add to the 'Vary' header.
@@ -112,24 +111,50 @@ A Resource path can be specified as exact string match (`/path/to/file.txt`) or
 
 ## Common Gotchas
 
-Incorrect positioning of `Rack::Cors` in the middleware stack can produce unexpected results.  The Rails example above will put it above all middleware which should cover most issues.
+### Origin Matching
+
+When specifying an origin, make sure that it does not have a trailing slash.
 
-Here are some common cases:
+### Testing Postman and/or cURL
 
-* **Serving static files.**  Insert this middleware before `ActionDispatch::Static` so that static files are served with the proper CORS headers (see note below for a caveat).  **NOTE:** that this might not work in production environments as static files are usually served from the web server (Nginx, Apache) and not the Rails container.
+* Make sure you're passing in an `Origin:` header.  That header is required to trigger a CORS response.  Here's [a good SO post](https://stackoverflow.com/questions/12173990/how-can-you-debug-a-cors-request-with-curl) about using cURL for testing CORS.
+* Make sure your origin does not have a trailing slash.
 
-* **Caching in the middleware.**  Insert this middleware before `Rack::Cache` so that the proper CORS headers are written and not cached ones.
+### Positioning in the Middleware Stack
 
-* **Authentication via Warden**  Warden will return immediately if a resource that requires authentication is accessed without authentication.  If `Warden::Manager`is in the stack before `Rack::Cors`, it will return without the correct CORS headers being applied, resulting in a failed CORS request.  Be sure to insert this middleware before 'Warden::Manager`.
+Positioning of `Rack::Cors` in the middleware stack is very important. In the Rails example above we put it above all other middleware which, in our experience, provides the most consistent results.
 
-To determine where to put the CORS middleware in the Rack stack, run the following command:
+Here are some scenarios where incorrect positioning have created issues:
+
+* **Serving static files.**  Insert before `ActionDispatch::Static` so that static files are served with the proper CORS headers.  **NOTE:** this might not work in production as static files are usually served from the web server (Nginx, Apache) and not the Rails container.
+
+* **Caching in the middleware.**  Insert before `Rack::Cache` so that the proper CORS headers are written and not cached ones.
+
+* **Authentication via Warden**  Warden will return immediately if a resource that requires authentication is accessed without authentication.  If `Warden::Manager`is in the stack before `Rack::Cors`, it will return without the correct CORS headers being applied, resulting in a failed CORS request.
+
+You can run the following command to see what the middleware stack looks like:
 
 ```bash
 bundle exec rake middleware
 ```
 
-In many cases, the Rack stack will be different running in production environments.  For example, the `ActionDispatch::Static` middleware will not be part of the stack if `config.serve_static_assets = false`.  You can run the following command to see what your middleware stack looks like in production:
+Note that the middleware stack is different in production.  For example, the `ActionDispatch::Static` middleware will not be part of the stack if `config.serve_static_assets = false`.  You can run this to see what your middleware stack looks like in production:
 
 ```bash
 RAILS_ENV=production bundle exec rake middleware
 ```
+
+### Serving static files
+
+If you trying to serve CORS headers on static assets (like CSS, JS, Font files), keep in mind that static files are usually served directly from web servers and never runs through the Rails container (including the middleware stack where `Rack::Cors` resides).
+
+In Heroku, you can serve static assets through the Rails container by setting `config.serve_static_assets = true` in `production.rb`.
+
+### Custom Protocols (chrome-extension://, ionic://, etc.)
+
+Prior to 2.0.0, `http://`, `https://`, and `file://` are the only protocols supported in the `origins` list. If you wish to specify an origin that
+has a custom protocol (`chrome-extension://`, `ionic://`, etc.) simply exclude the protocol. [See issue.](https://github.com/cyu/rack-cors/issues/100)
+
+For example, instead of specifying `chrome-extension://aomjjhallfgjeglblehebfpbcfeobpga` specify `aomjjhallfgjeglblehebfpbcfeobpga` in `origins`.
+
+As of 2.0.0 (currently in RC1), you can specify origins with a custom protocol.

data/Rakefile

@@ -1,4 +1,6 @@
-require "bundler/gem_tasks"
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
 
 require 'rake/testtask'
 Rake::TestTask.new(:test) do |test|
@@ -7,15 +9,14 @@ Rake::TestTask.new(:test) do |test|
   test.verbose = true
 end
 
-task :default => :test
+task default: :test
 
 require 'rdoc/task'
 Rake::RDocTask.new do |rdoc|
-  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+  version = File.exist?('VERSION') ? File.read('VERSION') : ''
 
   rdoc.rdoc_dir = 'rdoc'
   rdoc.title = "rack-cors #{version}"
   rdoc.rdoc_files.include('README*')
   rdoc.rdoc_files.include('lib/**/*.rb')
 end
-

data/lib/rack/cors/resource.rb

@@ -0,0 +1,142 @@
+# frozen_string_literal: true
+
+module Rack
+  class Cors
+    class Resource
+      # All CORS routes need to accept CORS simple headers at all times
+      # {https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers}
+      CORS_SIMPLE_HEADERS = %w[accept accept-language content-language content-type].freeze
+
+      attr_accessor :path, :methods, :headers, :expose, :max_age, :credentials, :pattern, :if_proc, :vary_headers
+
+      def initialize(public_resource, path, opts = {})
+        raise CorsMisconfigurationError if public_resource && opts[:credentials] == true
+
+        self.path         = path
+        self.credentials  = public_resource ? false : (opts[:credentials] == true)
+        self.max_age      = opts[:max_age] || 7200
+        self.pattern      = compile(path)
+        self.if_proc      = opts[:if]
+        self.vary_headers = opts[:vary] && [opts[:vary]].flatten
+        @public_resource  = public_resource
+
+        self.headers = case opts[:headers]
+                       when :any then :any
+                       when nil then nil
+                       else
+                         [opts[:headers]].flatten.collect(&:downcase)
+                       end
+
+        self.methods = case opts[:methods]
+                       when :any then %i[get head post put patch delete options]
+                       else
+                         ensure_enum(opts[:methods]) || [:get]
+                       end.map(&:to_s)
+
+        self.expose = opts[:expose] ? [opts[:expose]].flatten : nil
+      end
+
+      def matches_path?(path)
+        pattern =~ path
+      end
+
+      def match?(path, env)
+        matches_path?(path) && (if_proc.nil? || if_proc.call(env))
+      end
+
+      def process_preflight(env, result)
+        headers = {}
+
+        request_method = env[Rack::Cors::HTTP_ACCESS_CONTROL_REQUEST_METHOD]
+        result.miss(Result::MISS_NO_METHOD) && (return headers) if request_method.nil?
+        result.miss(Result::MISS_DENY_METHOD) && (return headers) unless methods.include?(request_method.downcase)
+
+        request_headers = env[Rack::Cors::HTTP_ACCESS_CONTROL_REQUEST_HEADERS]
+        result.miss(Result::MISS_DENY_HEADER) && (return headers) if request_headers && !allow_headers?(request_headers)
+
+        result.hit = true
+        headers.merge(to_preflight_headers(env))
+      end
+
+      def to_headers(env)
+        h = {
+          'access-control-allow-origin' => origin_for_response_header(env[Rack::Cors::HTTP_ORIGIN]),
+          'access-control-allow-methods' => methods.collect { |m| m.to_s.upcase }.join(', '),
+          'access-control-expose-headers' => expose.nil? ? '' : expose.join(', '),
+          'access-control-max-age' => max_age.to_s
+        }
+        h['access-control-allow-credentials'] = 'true' if credentials
+        header_proc.call(h)
+      end
+
+      protected
+
+      def public_resource?
+        @public_resource
+      end
+
+      def origin_for_response_header(origin)
+        return '*' if public_resource?
+
+        origin
+      end
+
+      def to_preflight_headers(env)
+        h = to_headers(env)
+        h.merge!('access-control-allow-headers' => env[Rack::Cors::HTTP_ACCESS_CONTROL_REQUEST_HEADERS]) if env[Rack::Cors::HTTP_ACCESS_CONTROL_REQUEST_HEADERS]
+        h
+      end
+
+      def allow_headers?(request_headers)
+        headers = self.headers || []
+        return true if headers == :any
+
+        request_headers = request_headers.split(/,\s*/) if request_headers.is_a?(String)
+        request_headers.all? do |header|
+          header = header.downcase
+          CORS_SIMPLE_HEADERS.include?(header) || headers.include?(header)
+        end
+      end
+
+      def ensure_enum(var)
+        return nil if var.nil?
+
+        [var].flatten
+      end
+
+      def compile(path)
+        if path.respond_to? :to_str
+          special_chars = %w[. + ( )]
+          pattern =
+            path.to_str.gsub(%r{((:\w+)|/\*|[\*#{special_chars.join}])}) do |match|
+              case match
+              when '/*'
+                '\\/?(.*?)'
+              when '*'
+                '(.*?)'
+              when *special_chars
+                Regexp.escape(match)
+              else
+                '([^/?&#]+)'
+              end
+            end
+          /^#{pattern}$/
+        elsif path.respond_to? :match
+          path
+        else
+          raise TypeError, path
+        end
+      end
+
+      def header_proc
+        @header_proc ||= begin
+          if defined?(Rack::Headers)
+            ->(h) { h }
+          else
+            ->(h) { Rack::Utils::HeaderHash.new(h) }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rack/cors/resources/cors_misconfiguration_error.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Rack
+  class Cors
+    class Resource
+      class CorsMisconfigurationError < StandardError
+        def message
+          'Allowing credentials for wildcard origins is insecure.' \
+          " Please specify more restrictive origins or set 'credentials' to false in your CORS configuration."
+        end
+      end
+    end
+  end
+end

data/lib/rack/cors/resources.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require_relative 'resources/cors_misconfiguration_error'
+
+module Rack
+  class Cors
+    class Resources
+      attr_reader :resources
+
+      def initialize
+        @origins = []
+        @resources = []
+        @public_resources = false
+      end
+
+      def origins(*args, &blk)
+        @origins = args.flatten.reject { |s| s == '' }.map do |n|
+          case n
+          when Proc, Regexp, %r{^[a-z][a-z0-9.+-]*://}
+            n
+          when '*'
+            @public_resources = true
+            n
+          else
+            Regexp.compile("^[a-z][a-z0-9.+-]*:\\\/\\\/#{Regexp.quote(n)}$")
+          end
+        end.flatten
+        @origins.push(blk) if blk
+      end
+
+      def resource(path, opts = {})
+        @resources << Resource.new(public_resources?, path, opts)
+      end
+
+      def public_resources?
+        @public_resources
+      end
+
+      def allow_origin?(source, env = {})
+        return true if public_resources?
+
+        !!@origins.detect do |origin|
+          if origin.is_a?(Proc)
+            origin.call(source, env)
+          elsif origin.is_a?(Regexp)
+            source =~ origin
+          else
+            source == origin
+          end
+        end
+      end
+
+      def match_resource(path, env)
+        @resources.detect { |r| r.match?(path, env) }
+      end
+
+      def resource_for_path(path)
+        @resources.detect { |r| r.matches_path?(path) }
+      end
+    end
+  end
+end