rack-cors 1.0.2 → 2.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 7a4d5e6683440676f486ce61b3c16ff2e7c8f65e
-  data.tar.gz: be95c0c3dce56c965aff4b1cb398f2ad6fb4f6b3
+SHA256:
+  metadata.gz: 14eb27e856c7cdd90b79cfc7236f3b71e10cfdcb2e282bb1a93546b8a97a053e
+  data.tar.gz: c9a2d87407a44c7df88129ece2d8ac5b8f5f6c46414b742c762d63cb99ae2278
 SHA512:
-  metadata.gz: 8ae27dfd82bd822e700c476963118b15e68dee7850aaccb8b43a05670903f9f66217c8cd77dcf425f664581ecadf00eb43c1c1926648d97caf07c6d4a4dd0574
-  data.tar.gz: df278b2f1b3e6f0b01305d601fb58f2d41aef0579232d5ae27564be76483afdfb58b9219708d5a944c7db293025d7bacec4924dc63c06aefed2a7df4ad00e9ec
+  metadata.gz: e7a4136f89a39be61d5d1c7cdc1d5d4c85a883ee72f9a0f16c13fdd0218918d9c67a379974bae60271f3a7b1e2aebdaf8c187aa65c9e97b4d12427a9c606af60
+  data.tar.gz: a6798527bc3b3463f93d63bb42e901ff11de4512c63e10baf2ccb413526fff0cbee04bd9c2c38025b840c5ce9281fd60cd473d4dd0631a1cb6ba704d7d4d28f0

data/{CHANGELOG → CHANGELOG.md}

@@ -1,6 +1,53 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## 2.0.2 - 2024-03-04
+### Changed
+- Fix file permission issues with 2.0.1 release
+
+## 2.0.1 - 2023-02-17
+### Changed
+- Use Rack::Utils::HeaderHash when Rack 2.x is detected
+
+## 2.0.0 - 2023-02-14
+### Changed
+- Refactored codebase
+- Support declaring custom protocols in origin
+- Lowercased header names as defined by Rack spec
+- Fix issue with duplicate headers because of header name case
+
+## 1.1.1 - 2019-12-29
+### Changed
+- Allow /<resource>/* to match /<resource>/ and /<resource> paths
+
+## 1.1.0 - 2019-11-19
+### Changed
+- Use Rack::Utils.escape_path instead of Rack::Utils.escape
+- Require Rack 2.0 for escape_path method
+- Don't try to clean path if invalid.
+- Return 400 (Bad Request) on preflights with invalid path
+
+## 1.0.6 - 2019-11-14
+### Changed
+- Use Rack::Utils.escape to make compat with Rack 1.6.0
+
+## 1.0.5 - 2019-11-14
+### Changed
+- Update Gem spec to require rack >= 1.6.0
+
+## 1.0.4 - 2019-11-13
+### Security
+- Escape and resolve path before evaluating resource rules (thanks to Colby Morgan)
+
+## 1.0.3 - 2019-03-24
+### Changed
+- Don't send 'Content-Type' header with pre-flight requests
+- Allow ruby array for  vary header config
+
+## 1.0.2 - 2017-10-22
+### Fixed
+- Automatically allow simple headers when headers are set
+
 ## 1.0.1 - 2017-07-18
 ### Fixed
 - Allow lambda origin configuration

data/README.md

@@ -1,8 +1,8 @@
-# Rack CORS Middleware [![Build Status](https://travis-ci.org/cyu/rack-cors.svg?branch=master)](https://travis-ci.org/cyu/rack-cors)
+# Rack CORS Middleware [![Build Status](https://github.com/cyu/rack-cors/actions/workflows/ci.yaml/badge.svg)](https://github.com/cyu/rack-cors/actions)
 
 `Rack::Cors` provides support for Cross-Origin Resource Sharing (CORS) for Rack compatible web applications.
 
-The [CORS spec](http://www.w3.org/TR/cors/) allows web applications to make cross domain AJAX calls without using workarounds such as JSONP. See [Cross-domain Ajax with Cross-Origin Resource Sharing](http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/)
+The [CORS spec](http://www.w3.org/TR/cors/) allows web applications to make cross domain AJAX calls without using workarounds such as JSONP. See [further explanations on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)
 
 ## Installation
 
@@ -13,50 +13,37 @@ Install the gem:
 Or in your Gemfile:
 
 ```ruby
-gem 'rack-cors', :require => 'rack/cors'
+gem 'rack-cors'
 ```
 
 
 ## Configuration
 
 ### Rails Configuration
-Put something like the code below in `config/application.rb` of your Rails application. For example, this will allow GET, POST or OPTIONS requests from any origin on any resource.
+For Rails, you'll need to add this middleware on application startup. A practical way to do this is with an initializer file. For example, the following will allow GET, POST, PATCH, or PUT requests from any origin on any resource:
 
 ```ruby
-module YourApp
-  class Application < Rails::Application
-
-    # ...
-    
-    # Rails 5
-
-    config.middleware.insert_before 0, Rack::Cors do
-      allow do
-        origins '*'
-        resource '*', :headers => :any, :methods => [:get, :post, :options]
-      end
-    end
-
-    # Rails 3/4
-
-    config.middleware.insert_before 0, "Rack::Cors" do
-      allow do
-        origins '*'
-        resource '*', :headers => :any, :methods => [:get, :post, :options]
-      end
-    end
-    
+# config/initializers/cors.rb
+
+Rails.application.config.middleware.insert_before 0, Rack::Cors do
+  allow do
+    origins '*'
+    resource '*', headers: :any, methods: [:get, :post, :patch, :put]
   end
 end
 ```
 
-We use `insert_before` to make sure `Rack::Cors` runs at the beginning of the stack to make sure it isn't interfered with with other middleware (see `Rack::Cache` note in **Common Gotchas** section). Check out the [rails 4 example](https://github.com/cyu/rack-cors/tree/master/examples/rails4) and [rails 3 example](https://github.com/cyu/rack-cors/tree/master/examples/rails3).
+NOTE: If you create application with `--api` option, configuration is automatically generated in `config/initializers/cors.rb`.
+
+We use `insert_before` to make sure `Rack::Cors` runs at the beginning of the stack to make sure it isn't interfered with by other middleware (see `Rack::Cache` note in **Common Gotchas** section). Basic setup examples for Rails 5 & Rails 6 can be found in the examples/ directory.
 
 See The [Rails Guide to Rack](http://guides.rubyonrails.org/rails_on_rack.html) for more details on rack middlewares or watch the [railscast](http://railscasts.com/episodes/151-rack-middleware).
 
+Read more about it here in the [Rails Guides](https://guides.rubyonrails.org/configuring.html#configuring-middleware)
+
 ### Rack Configuration
 
-NOTE: If you're running Rails, updating in `config/application.rb` should be enough.  There is no need to update `config.ru` as well.
+NOTE: If you're running Rails, adding `config/initializers/cors.rb` should be enough.  There is no need to update `config.ru` as well.
 
 In `config.ru`, configure `Rack::Cors` by passing a block to the `use` command:
 
@@ -69,16 +56,22 @@ use Rack::Cors do
 
     resource '/file/list_all/', :headers => 'x-domain-token'
     resource '/file/at/*',
-        :methods => [:get, :post, :delete, :put, :patch, :options, :head],
-        :headers => 'x-domain-token',
-        :expose  => ['Some-Custom-Response-Header'],
-        :max_age => 600
+        methods: [:get, :post, :delete, :put, :patch, :options, :head],
+        headers: 'x-domain-token',
+        expose: ['Some-Custom-Response-Header'],
+        max_age: 600
         # headers to expose
   end
 
   allow do
     origins '*'
-    resource '/public/*', :headers => :any, :methods => :get
+    resource '/public/*', headers: :any, methods: :get
+
+    # Only allow a request for a specific host
+    resource '/api/v1/*',
+        headers: :any,
+        methods: :get,
+        if: proc { |env| env['HTTP_HOST'] == 'api.example.com' }
   end
 end
 ```
@@ -92,14 +85,14 @@ end
 #### Origin
 Origins can be specified as a string, a regular expression, or as '\*' to allow all origins.
 
-**\*SECURITY NOTE:** Be careful when using regular expressions to not accidentally be too inclusive.  For example, the expression `/https:\/\/example\.com/` will match the domain *example.com.randomdomainname.co.uk*.  It is recommended that any regular expression be enclosed with start & end string anchors (`\A\z`).
+**\*SECURITY NOTE:** Be careful when using regular expressions to not accidentally be too inclusive.  For example, the expression `/https:\/\/example\.com/` will match the domain *example.com.randomdomainname.co.uk*.  It is recommended that any regular expression be enclosed with start & end string anchors, like `\Ahttps:\/\/example\.com\z`.
 
 Additionally, origins can be specified dynamically via a block of the following form:
 ```ruby
   origins { |source, env| true || false }
 ```
 
-A Resource path can be specified as exact string match (`/path/to/file.txt`) or with a '\*' wildcard (`/all/files/in/*`).  To include all of a directory's files and the files in its subdirectories, use this form: `/assets/**/*`.  A resource can take the following options:
+A Resource path can be specified as exact string match (`/path/to/file.txt`) or with a '\*' wildcard (`/all/files/in/*`).  A resource can take the following options:
 
 * **methods** (string or array or `:any`): The HTTP methods allowed for the resource.
 * **headers** (string or array or `:any`): The HTTP headers that will be allowed in the CORS resource request.  Use `:any` to allow for any headers in the actual request.
@@ -112,24 +105,54 @@ A Resource path can be specified as exact string match (`/path/to/file.txt`) or
 
 ## Common Gotchas
 
-Incorrect positioning of `Rack::Cors` in the middleware stack can produce unexpected results.  The Rails example above will put it above all middleware which should cover most issues.
+### Origin Matching
+
+When specifying an origin, make sure that it does not have a trailing slash.
+
+### Testing Postman and/or cURL
+
+* Make sure you're passing in an `Origin:` header.  That header is required to trigger a CORS response.  Here's [a good SO post](https://stackoverflow.com/questions/12173990/how-can-you-debug-a-cors-request-with-curl) about using cURL for testing CORS.
+* Make sure your origin does not have a trailing slash.
+
+### Positioning in the Middleware Stack
 
-Here are some common cases:
+Positioning of `Rack::Cors` in the middleware stack is very important. In the Rails example above we put it above all other middleware which, in our experience, provides the most consistent results.
 
-* **Serving static files.**  Insert this middleware before `ActionDispatch::Static` so that static files are served with the proper CORS headers (see note below for a caveat).  **NOTE:** that this might not work in production environments as static files are usually served from the web server (Nginx, Apache) and not the Rails container.
+Here are some scenarios where incorrect positioning have created issues:
 
-* **Caching in the middleware.**  Insert this middleware before `Rack::Cache` so that the proper CORS headers are written and not cached ones.
+* **Serving static files.**  Insert before `ActionDispatch::Static` so that static files are served with the proper CORS headers.  **NOTE:** this might not work in production as static files are usually served from the web server (Nginx, Apache) and not the Rails container.
 
-* **Authentication via Warden**  Warden will return immediately if a resource that requires authentication is accessed without authentication.  If `Warden::Manager`is in the stack before `Rack::Cors`, it will return without the correct CORS headers being applied, resulting in a failed CORS request.  Be sure to insert this middleware before 'Warden::Manager`.
+* **Caching in the middleware.**  Insert before `Rack::Cache` so that the proper CORS headers are written and not cached ones.
 
-To determine where to put the CORS middleware in the Rack stack, run the following command:
+* **Authentication via Warden**  Warden will return immediately if a resource that requires authentication is accessed without authentication.  If `Warden::Manager`is in the stack before `Rack::Cors`, it will return without the correct CORS headers being applied, resulting in a failed CORS request.
+
+You can run the following command to see what the middleware stack looks like:
 
 ```bash
 bundle exec rake middleware
 ```
 
-In many cases, the Rack stack will be different running in production environments.  For example, the `ActionDispatch::Static` middleware will not be part of the stack if `config.serve_static_assets = false`.  You can run the following command to see what your middleware stack looks like in production:
+Note that the middleware stack is different in production.  For example, the `ActionDispatch::Static` middleware will not be part of the stack if `config.serve_static_assets = false`.  You can run this to see what your middleware stack looks like in production:
 
 ```bash
 RAILS_ENV=production bundle exec rake middleware
 ```
+
+### Serving static files
+
+If you trying to serve CORS headers on static assets (like CSS, JS, Font files), keep in mind that static files are usually served directly from web servers and never runs through the Rails container (including the middleware stack where `Rack::Cors` resides).
+
+In Heroku, you can serve static assets through the Rails container by setting `config.serve_static_assets = true` in `production.rb`.
+
+### Custom Protocols (chrome-extension://, ionic://, etc.)
+
+Prior to 2.0.0, `http://`, `https://`, and `file://` are the only protocols supported in the `origins` list. If you wish to specify an origin that
+has a custom protocol (`chrome-extension://`, `ionic://`, etc.) simply exclude the protocol. [See issue.](https://github.com/cyu/rack-cors/issues/100)
+
+For example, instead of specifying `chrome-extension://aomjjhallfgjeglblehebfpbcfeobpga` specify `aomjjhallfgjeglblehebfpbcfeobpga` in `origins`.
+
+As of 2.0.0 (currently in RC1), you can specify origins with a custom protocol.
+
+### Rails 6 Host Matching
+
+Rails 6 will block requests from unauthorized hosts, and this issue can be confused as a CORS related error. So in development, if you're making requests using something other than localhost or 127.0.0.1, make sure the server host has been authorized. [More info here](https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization)

data/lib/rack/cors/resource.rb

@@ -0,0 +1,142 @@
+# frozen_string_literal: true
+
+module Rack
+  class Cors
+    class Resource
+      # All CORS routes need to accept CORS simple headers at all times
+      # {https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers}
+      CORS_SIMPLE_HEADERS = %w[accept accept-language content-language content-type].freeze
+
+      attr_accessor :path, :methods, :headers, :expose, :max_age, :credentials, :pattern, :if_proc, :vary_headers
+
+      def initialize(public_resource, path, opts = {})
+        raise CorsMisconfigurationError if public_resource && opts[:credentials] == true
+
+        self.path         = path
+        self.credentials  = public_resource ? false : (opts[:credentials] == true)
+        self.max_age      = opts[:max_age] || 7200
+        self.pattern      = compile(path)
+        self.if_proc      = opts[:if]
+        self.vary_headers = opts[:vary] && [opts[:vary]].flatten
+        @public_resource  = public_resource
+
+        self.headers = case opts[:headers]
+                       when :any then :any
+                       when nil then nil
+                       else
+                         [opts[:headers]].flatten.collect(&:downcase)
+                       end
+
+        self.methods = case opts[:methods]
+                       when :any then %i[get head post put patch delete options]
+                       else
+                         ensure_enum(opts[:methods]) || [:get]
+                       end.map(&:to_s)
+
+        self.expose = opts[:expose] ? [opts[:expose]].flatten : nil
+      end
+
+      def matches_path?(path)
+        pattern =~ path
+      end
+
+      def match?(path, env)
+        matches_path?(path) && (if_proc.nil? || if_proc.call(env))
+      end
+
+      def process_preflight(env, result)
+        headers = {}
+
+        request_method = env[Rack::Cors::HTTP_ACCESS_CONTROL_REQUEST_METHOD]
+        result.miss(Result::MISS_NO_METHOD) && (return headers) if request_method.nil?
+        result.miss(Result::MISS_DENY_METHOD) && (return headers) unless methods.include?(request_method.downcase)
+
+        request_headers = env[Rack::Cors::HTTP_ACCESS_CONTROL_REQUEST_HEADERS]
+        result.miss(Result::MISS_DENY_HEADER) && (return headers) if request_headers && !allow_headers?(request_headers)
+
+        result.hit = true
+        headers.merge(to_preflight_headers(env))
+      end
+
+      def to_headers(env)
+        h = {
+          'access-control-allow-origin' => origin_for_response_header(env[Rack::Cors::HTTP_ORIGIN]),
+          'access-control-allow-methods' => methods.collect { |m| m.to_s.upcase }.join(', '),
+          'access-control-expose-headers' => expose.nil? ? '' : expose.join(', '),
+          'access-control-max-age' => max_age.to_s
+        }
+        h['access-control-allow-credentials'] = 'true' if credentials
+        header_proc.call(h)
+      end
+
+      protected
+
+      def public_resource?
+        @public_resource
+      end
+
+      def origin_for_response_header(origin)
+        return '*' if public_resource?
+
+        origin
+      end
+
+      def to_preflight_headers(env)
+        h = to_headers(env)
+        h.merge!('access-control-allow-headers' => env[Rack::Cors::HTTP_ACCESS_CONTROL_REQUEST_HEADERS]) if env[Rack::Cors::HTTP_ACCESS_CONTROL_REQUEST_HEADERS]
+        h
+      end
+
+      def allow_headers?(request_headers)
+        headers = self.headers || []
+        return true if headers == :any
+
+        request_headers = request_headers.split(/,\s*/) if request_headers.is_a?(String)
+        request_headers.all? do |header|
+          header = header.downcase
+          CORS_SIMPLE_HEADERS.include?(header) || headers.include?(header)
+        end
+      end
+
+      def ensure_enum(var)
+        return nil if var.nil?
+
+        [var].flatten
+      end
+
+      def compile(path)
+        if path.respond_to? :to_str
+          special_chars = %w[. + ( ) $]
+          pattern =
+            path.to_str.gsub(%r{((:\w+)|/\*|[\*#{special_chars.join}])}) do |match|
+              case match
+              when '/*'
+                '\\/?(.*?)'
+              when '*'
+                '(.*?)'
+              when *special_chars
+                Regexp.escape(match)
+              else
+                '([^/?&#]+)'
+              end
+            end
+          /^#{pattern}$/
+        elsif path.respond_to? :match
+          path
+        else
+          raise TypeError, path
+        end
+      end
+
+      def header_proc
+        @header_proc ||= begin
+          if defined?(Rack::Headers)
+            ->(h) { h }
+          else
+            ->(h) { Rack::Utils::HeaderHash.new(h) }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rack/cors/resources/cors_misconfiguration_error.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Rack
+  class Cors
+    class Resource
+      class CorsMisconfigurationError < StandardError
+        def message
+          'Allowing credentials for wildcard origins is insecure.' \
+          " Please specify more restrictive origins or set 'credentials' to false in your CORS configuration."
+        end
+      end
+    end
+  end
+end

data/lib/rack/cors/resources.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require_relative 'resources/cors_misconfiguration_error'
+
+module Rack
+  class Cors
+    class Resources
+      attr_reader :resources
+
+      def initialize
+        @origins = []
+        @resources = []
+        @public_resources = false
+      end
+
+      def origins(*args, &blk)
+        @origins = args.flatten.reject { |s| s == '' }.map do |n|
+          case n
+          when Proc, Regexp, %r{^[a-z][a-z0-9.+-]*://}
+            n
+          when '*'
+            @public_resources = true
+            n
+          else
+            Regexp.compile("^[a-z][a-z0-9.+-]*:\\\/\\\/#{Regexp.quote(n)}$")
+          end
+        end.flatten
+        @origins.push(blk) if blk
+      end
+
+      def resource(path, opts = {})
+        @resources << Resource.new(public_resources?, path, opts)
+      end
+
+      def public_resources?
+        @public_resources
+      end
+
+      def allow_origin?(source, env = {})
+        return true if public_resources?
+
+        !!@origins.detect do |origin|
+          if origin.is_a?(Proc)
+            origin.call(source, env)
+          elsif origin.is_a?(Regexp)
+            source =~ origin
+          else
+            source == origin
+          end
+        end
+      end
+
+      def match_resource(path, env)
+        @resources.detect { |r| r.match?(path, env) }
+      end
+
+      def resource_for_path(path)
+        @resources.detect { |r| r.matches_path?(path) }
+      end
+    end
+  end
+end

data/lib/rack/cors/result.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module Rack
+  class Cors
+    class Result
+      HEADER_KEY = 'x-rack-cors'
+
+      MISS_NO_ORIGIN = 'no-origin'
+      MISS_NO_PATH   = 'no-path'
+
+      MISS_NO_METHOD   = 'no-method'
+      MISS_DENY_METHOD = 'deny-method'
+      MISS_DENY_HEADER = 'deny-header'
+
+      attr_accessor :preflight, :hit, :miss_reason
+
+      def hit?
+        !!hit
+      end
+
+      def preflight?
+        !!preflight
+      end
+
+      def miss(reason)
+        self.hit = false
+        self.miss_reason = reason
+      end
+
+      def self.hit(env)
+        r = Result.new
+        r.preflight = false
+        r.hit = true
+        env[Rack::Cors::ENV_KEY] = r
+      end
+
+      def self.miss(env, reason)
+        r = Result.new
+        r.preflight = false
+        r.hit = false
+        r.miss_reason = reason
+        env[Rack::Cors::ENV_KEY] = r
+      end
+
+      def self.preflight(env)
+        r = Result.new
+        r.preflight = true
+        env[Rack::Cors::ENV_KEY] = r
+      end
+
+      def append_header(headers)
+        headers[HEADER_KEY] = if hit?
+                                preflight? ? 'preflight-hit' : 'hit'
+                              else
+                                [
+                                  (preflight? ? 'preflight-miss' : 'miss'),
+                                  miss_reason
+                                ].join('; ')
+                              end
+      end
+    end
+  end
+end

data/lib/rack/cors/version.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 module Rack
   class Cors
-    VERSION = "1.0.2"
+    VERSION = '2.0.2'
   end
 end