rack-cors 1.1.1 → 2.0.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8f879bc8ea95eac0ca9360c3a553084961d02944255f6ad380b64e855653b8b6
-  data.tar.gz: bd9478603340a1785324ab4f1db9517a8943fdcc1be13193e4d6b83b184fa032
+  metadata.gz: c4c9bf1e801f0bb5f4c5abb111fbe9a0dcfbd1bcf0da1b2070fb1575de5bcdd7
+  data.tar.gz: 9a78208ad501ffa452ac0721eeb29ccf5fc00ad392bfe2be06c8d0c6a4a1c5c0
 SHA512:
-  metadata.gz: 12d13e99acef13b159595487b3c0198bc1a355371bdb149241d11e1d0715148e0749085d0f0c362d4defdec2e325b416b1e93aeb28be2d421516d4db8185fdac
-  data.tar.gz: a1f373194a95094f337c545e7751eac2c4d8500dfd607088a88e55774b755fa0ec659710319a2f7997e579231b7de806e63f2ce4a1639cdb732eed5bcbb743b9
+  metadata.gz: ef9c38f1c3f6c13609afcded7d3bd0c40e22e6a098fe7f565d5d6351c1ed0e3f199752912163bd1963005b3ed4d5ae20216b6f8c94736b5f941d9e038e089829
+  data.tar.gz: 633bf8887b580a52cd0f50359d8febffd609190cbb5084ae5e02233126c14a70d019bdfd2feddba7cf078cf5d820e86856ad867fcbc1ce90bd3ecb9c75b08f64

data/.rubocop.yml

@@ -0,0 +1,31 @@
+---
+
+AllCops:
+  Exclude:
+    - 'examples/**/*'
+
+# Disables
+Layout/LineLength:
+  Enabled: false
+Style/Documentation:
+  Enabled: false
+Metrics/ClassLength:
+  Enabled: false
+Metrics/MethodLength:
+  Enabled: false
+Metrics/BlockLength:
+  Enabled: false
+Style/HashEachMethods:
+  Enabled: false
+Style/HashTransformKeys:
+  Enabled: false
+Style/HashTransformValues:
+  Enabled: false
+Style/DoubleNegation:
+  Enabled: false
+Metrics/CyclomaticComplexity:
+  Enabled: false
+Metrics/PerceivedComplexity:
+  Enabled: false
+Metrics/AbcSize:
+  Enabled: false

data/.travis.yml

@@ -1,8 +1,13 @@
 language: ruby
 sudo: false
 rvm:
-  - 2.2
   - 2.3
   - 2.4
   - 2.5
   - 2.6
+  - 2.7
+  - truffleruby-head
+
+script:
+  - bundle exec rubocop
+  - bundle exec rake test

data/CHANGELOG.md

@@ -1,6 +1,12 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## 2.0.0 - 2022-09-11
+### Changed
+- Refactored codebase
+- Support declaring custom protocols in origin
+- Lowercased header names as defined by Rack spec
+
 ## 1.1.1 - 2019-12-29
 ### Changed
 - Allow /<resource>/* to match /<resource>/ and /<resource> paths

data/Gemfile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 
 # Specify your gem's dependencies in rack-cors.gemspec

data/README.md

@@ -20,41 +20,34 @@ gem 'rack-cors'
 ## Configuration
 
 ### Rails Configuration
-Put something like the code below in `config/application.rb` of your Rails application. For example, this will allow GET, POST or OPTIONS requests from any origin on any resource.
+For Rails, you'll need to add this middleware on application startup. A practical way to do this is with an initializer file. For example, the following will allow GET, POST, PATCH, or PUT requests from any origin on any resource:
 
 ```ruby
-module YourApp
-  class Application < Rails::Application
-    # ...
-    
-    # Rails 5
-
-    config.middleware.insert_before 0, Rack::Cors do
-      allow do
-        origins '*'
-        resource '*', headers: :any, methods: [:get, :post, :options]
-      end
-    end
-
-    # Rails 3/4
-
-    config.middleware.insert_before 0, "Rack::Cors" do
-      allow do
-        origins '*'
-        resource '*', headers: :any, methods: [:get, :post, :options]
-      end
-    end
+# config/initializers/cors.rb
+
+Rails.application.config.middleware.insert_before 0, Rack::Cors do
+  allow do
+    origins '*'
+    resource '*', headers: :any, methods: [:get, :post, :patch, :put]
   end
 end
 ```
 
-We use `insert_before` to make sure `Rack::Cors` runs at the beginning of the stack to make sure it isn't interfered with by other middleware (see `Rack::Cache` note in **Common Gotchas** section). Check out the [rails 4 example](https://github.com/cyu/rack-cors/tree/master/examples/rails4) and [rails 3 example](https://github.com/cyu/rack-cors/tree/master/examples/rails3).
+We use `insert_before` to make sure `Rack::Cors` runs at the beginning of the stack to make sure it isn't interfered with by other middleware (see `Rack::Cache` note in **Common Gotchas** section). Basic setup examples for Rails 5 & Rails 6 can be found in the examples/ directory.
 
 See The [Rails Guide to Rack](http://guides.rubyonrails.org/rails_on_rack.html) for more details on rack middlewares or watch the [railscast](http://railscasts.com/episodes/151-rack-middleware).
 
+*Note about Rails 6*: Rails 6 has support for blocking requests from unknown hosts, so origin domains will need to be added there as well.
+
+```ruby
+Rails.application.config.hosts << "product.com"
+```
+
+Read more about it here in the [Rails Guides](https://guides.rubyonrails.org/configuring.html#configuring-middleware)
+
 ### Rack Configuration
 
-NOTE: If you're running Rails, updating in `config/application.rb` should be enough.  There is no need to update `config.ru` as well.
+NOTE: If you're running Rails, adding `config/initializers/cors.rb` should be enough.  There is no need to update `config.ru` as well.
 
 In `config.ru`, configure `Rack::Cors` by passing a block to the `use` command:
 
@@ -96,14 +89,14 @@ end
 #### Origin
 Origins can be specified as a string, a regular expression, or as '\*' to allow all origins.
 
-**\*SECURITY NOTE:** Be careful when using regular expressions to not accidentally be too inclusive.  For example, the expression `/https:\/\/example\.com/` will match the domain *example.com.randomdomainname.co.uk*.  It is recommended that any regular expression be enclosed with start & end string anchors (`\A\z`).
+**\*SECURITY NOTE:** Be careful when using regular expressions to not accidentally be too inclusive.  For example, the expression `/https:\/\/example\.com/` will match the domain *example.com.randomdomainname.co.uk*.  It is recommended that any regular expression be enclosed with start & end string anchors, like `\Ahttps:\/\/example\.com\z`.
 
 Additionally, origins can be specified dynamically via a block of the following form:
 ```ruby
   origins { |source, env| true || false }
 ```
 
-A Resource path can be specified as exact string match (`/path/to/file.txt`) or with a '\*' wildcard (`/all/files/in/*`).  To include all of a directory's files and the files in its subdirectories, use this form: `/assets/**/*`.  A resource can take the following options:
+A Resource path can be specified as exact string match (`/path/to/file.txt`) or with a '\*' wildcard (`/all/files/in/*`).  A resource can take the following options:
 
 * **methods** (string or array or `:any`): The HTTP methods allowed for the resource.
 * **headers** (string or array or `:any`): The HTTP headers that will be allowed in the CORS resource request.  Use `:any` to allow for any headers in the actual request.
@@ -116,24 +109,41 @@ A Resource path can be specified as exact string match (`/path/to/file.txt`) or
 
 ## Common Gotchas
 
-Incorrect positioning of `Rack::Cors` in the middleware stack can produce unexpected results.  The Rails example above will put it above all middleware which should cover most issues.
+### Origin Matching
 
-Here are some common cases:
+When specifying an origin, make sure that it does not have a trailing slash.
 
-* **Serving static files.**  Insert this middleware before `ActionDispatch::Static` so that static files are served with the proper CORS headers (see note below for a caveat).  **NOTE:** that this might not work in production environments as static files are usually served from the web server (Nginx, Apache) and not the Rails container.
+### Testing Postman and/or cURL
 
-* **Caching in the middleware.**  Insert this middleware before `Rack::Cache` so that the proper CORS headers are written and not cached ones.
+* Make sure you're passing in an `Origin:` header.  That header is required to trigger a CORS response.  Here's [a good SO post](https://stackoverflow.com/questions/12173990/how-can-you-debug-a-cors-request-with-curl) about using cURL for testing CORS.
+* Make sure your origin does not have a trailing slash.
 
-* **Authentication via Warden**  Warden will return immediately if a resource that requires authentication is accessed without authentication.  If `Warden::Manager`is in the stack before `Rack::Cors`, it will return without the correct CORS headers being applied, resulting in a failed CORS request.  Be sure to insert this middleware before 'Warden::Manager`.
+### Positioning in the Middleware Stack
 
-To determine where to put the CORS middleware in the Rack stack, run the following command:
+Positioning of `Rack::Cors` in the middleware stack is very important. In the Rails example above we put it above all other middleware which, in our experience, provides the most consistent results.
+
+Here are some scenarios where incorrect positioning have created issues:
+
+* **Serving static files.**  Insert before `ActionDispatch::Static` so that static files are served with the proper CORS headers.  **NOTE:** this might not work in production as static files are usually served from the web server (Nginx, Apache) and not the Rails container.
+
+* **Caching in the middleware.**  Insert before `Rack::Cache` so that the proper CORS headers are written and not cached ones.
+
+* **Authentication via Warden**  Warden will return immediately if a resource that requires authentication is accessed without authentication.  If `Warden::Manager`is in the stack before `Rack::Cors`, it will return without the correct CORS headers being applied, resulting in a failed CORS request.
+
+You can run the following command to see what the middleware stack looks like:
 
 ```bash
 bundle exec rake middleware
 ```
 
-In many cases, the Rack stack will be different running in production environments.  For example, the `ActionDispatch::Static` middleware will not be part of the stack if `config.serve_static_assets = false`.  You can run the following command to see what your middleware stack looks like in production:
+Note that the middleware stack is different in production.  For example, the `ActionDispatch::Static` middleware will not be part of the stack if `config.serve_static_assets = false`.  You can run this to see what your middleware stack looks like in production:
 
 ```bash
 RAILS_ENV=production bundle exec rake middleware
 ```
+
+### Serving static files
+
+If you trying to serve CORS headers on static assets (like CSS, JS, Font files), keep in mind that static files are usually served directly from web servers and never runs through the Rails container (including the middleware stack where `Rack::Cors` resides).
+
+In Heroku, you can serve static assets through the Rails container by setting `config.serve_static_assets = true` in `production.rb`.

data/Rakefile

@@ -1,4 +1,6 @@
-require "bundler/gem_tasks"
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
 
 require 'rake/testtask'
 Rake::TestTask.new(:test) do |test|
@@ -7,15 +9,14 @@ Rake::TestTask.new(:test) do |test|
   test.verbose = true
 end
 
-task :default => :test
+task default: :test
 
 require 'rdoc/task'
 Rake::RDocTask.new do |rdoc|
-  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+  version = File.exist?('VERSION') ? File.read('VERSION') : ''
 
   rdoc.rdoc_dir = 'rdoc'
   rdoc.title = "rack-cors #{version}"
   rdoc.rdoc_files.include('README*')
   rdoc.rdoc_files.include('lib/**/*.rb')
 end
-

data/lib/rack/cors/resource.rb

@@ -0,0 +1,132 @@
+# frozen_string_literal: true
+
+module Rack
+  class Cors
+    class Resource
+      # All CORS routes need to accept CORS simple headers at all times
+      # {https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers}
+      CORS_SIMPLE_HEADERS = %w[accept accept-language content-language content-type].freeze
+
+      attr_accessor :path, :methods, :headers, :expose, :max_age, :credentials, :pattern, :if_proc, :vary_headers
+
+      def initialize(public_resource, path, opts = {})
+        raise CorsMisconfigurationError if public_resource && opts[:credentials] == true
+
+        self.path         = path
+        self.credentials  = public_resource ? false : (opts[:credentials] == true)
+        self.max_age      = opts[:max_age] || 7200
+        self.pattern      = compile(path)
+        self.if_proc      = opts[:if]
+        self.vary_headers = opts[:vary] && [opts[:vary]].flatten
+        @public_resource  = public_resource
+
+        self.headers = case opts[:headers]
+                       when :any then :any
+                       when nil then nil
+                       else
+                         [opts[:headers]].flatten.collect(&:downcase)
+                       end
+
+        self.methods = case opts[:methods]
+                       when :any then %i[get head post put patch delete options]
+                       else
+                         ensure_enum(opts[:methods]) || [:get]
+                       end.map(&:to_s)
+
+        self.expose = opts[:expose] ? [opts[:expose]].flatten : nil
+      end
+
+      def matches_path?(path)
+        pattern =~ path
+      end
+
+      def match?(path, env)
+        matches_path?(path) && (if_proc.nil? || if_proc.call(env))
+      end
+
+      def process_preflight(env, result)
+        headers = {}
+
+        request_method = env[Rack::Cors::HTTP_ACCESS_CONTROL_REQUEST_METHOD]
+        result.miss(Result::MISS_NO_METHOD) && (return headers) if request_method.nil?
+        result.miss(Result::MISS_DENY_METHOD) && (return headers) unless methods.include?(request_method.downcase)
+
+        request_headers = env[Rack::Cors::HTTP_ACCESS_CONTROL_REQUEST_HEADERS]
+        result.miss(Result::MISS_DENY_HEADER) && (return headers) if request_headers && !allow_headers?(request_headers)
+
+        result.hit = true
+        headers.merge(to_preflight_headers(env))
+      end
+
+      def to_headers(env)
+        h = {
+          'access-control-allow-origin' => origin_for_response_header(env[Rack::Cors::HTTP_ORIGIN]),
+          'access-control-allow-methods' => methods.collect { |m| m.to_s.upcase }.join(', '),
+          'access-control-expose-headers' => expose.nil? ? '' : expose.join(', '),
+          'access-control-max-age' => max_age.to_s
+        }
+        h['access-control-allow-credentials'] = 'true' if credentials
+        h
+      end
+
+      protected
+
+      def public_resource?
+        @public_resource
+      end
+
+      def origin_for_response_header(origin)
+        return '*' if public_resource?
+
+        origin
+      end
+
+      def to_preflight_headers(env)
+        h = to_headers(env)
+        h.merge!('Access-Control-Allow-Headers' => env[Rack::Cors::HTTP_ACCESS_CONTROL_REQUEST_HEADERS]) if env[Rack::Cors::HTTP_ACCESS_CONTROL_REQUEST_HEADERS]
+        h
+      end
+
+      def allow_headers?(request_headers)
+        headers = self.headers || []
+        return true if headers == :any
+
+        request_headers = request_headers.split(/,\s*/) if request_headers.is_a?(String)
+        request_headers.all? do |header|
+          header = header.downcase
+          CORS_SIMPLE_HEADERS.include?(header) || headers.include?(header)
+        end
+      end
+
+      def ensure_enum(var)
+        return nil if var.nil?
+
+        [var].flatten
+      end
+
+      def compile(path)
+        if path.respond_to? :to_str
+          special_chars = %w[. + ( )]
+          pattern =
+            path.to_str.gsub(%r{((:\w+)|/\*|[\*#{special_chars.join}])}) do |match|
+              case match
+              when '/*'
+                '\\/?(.*?)'
+              when '*'
+                '(.*?)'
+              when *special_chars
+                Regexp.escape(match)
+              else
+                '([^/?&#]+)'
+              end
+            end
+          /^#{pattern}$/
+        elsif path.respond_to? :match
+          path
+        else
+          raise TypeError, path
+        end
+      end
+    end
+  end
+end

data/lib/rack/cors/resources/cors_misconfiguration_error.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Rack
+  class Cors
+    class Resource
+      class CorsMisconfigurationError < StandardError
+        def message
+          'Allowing credentials for wildcard origins is insecure.' \
+          " Please specify more restrictive origins or set 'credentials' to false in your CORS configuration."
+        end
+      end
+    end
+  end
+end

data/lib/rack/cors/resources.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require_relative 'resources/cors_misconfiguration_error'
+
+module Rack
+  class Cors
+    class Resources
+      attr_reader :resources
+
+      def initialize
+        @origins = []
+        @resources = []
+        @public_resources = false
+      end
+
+      def origins(*args, &blk)
+        @origins = args.flatten.reject { |s| s == '' }.map do |n|
+          case n
+          when Proc, Regexp, %r{^[a-z][a-z0-9.+-]*://}
+            n
+          when '*'
+            @public_resources = true
+            n
+          else
+            Regexp.compile("^[a-z][a-z0-9.+-]*:\\\/\\\/#{Regexp.quote(n)}$")
+          end
+        end.flatten
+        @origins.push(blk) if blk
+      end
+
+      def resource(path, opts = {})
+        @resources << Resource.new(public_resources?, path, opts)
+      end
+
+      def public_resources?
+        @public_resources
+      end
+
+      def allow_origin?(source, env = {})
+        return true if public_resources?
+
+        !!@origins.detect do |origin|
+          if origin.is_a?(Proc)
+            origin.call(source, env)
+          elsif origin.is_a?(Regexp)
+            source =~ origin
+          else
+            source == origin
+          end
+        end
+      end
+
+      def match_resource(path, env)
+        @resources.detect { |r| r.match?(path, env) }
+      end
+
+      def resource_for_path(path)
+        @resources.detect { |r| r.matches_path?(path) }
+      end
+    end
+  end
+end

data/lib/rack/cors/result.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module Rack
+  class Cors
+    class Result
+      HEADER_KEY = 'x-rack-cors'
+
+      MISS_NO_ORIGIN = 'no-origin'
+      MISS_NO_PATH   = 'no-path'
+
+      MISS_NO_METHOD   = 'no-method'
+      MISS_DENY_METHOD = 'deny-method'
+      MISS_DENY_HEADER = 'deny-header'
+
+      attr_accessor :preflight, :hit, :miss_reason
+
+      def hit?
+        !!hit
+      end
+
+      def preflight?
+        !!preflight
+      end
+
+      def miss(reason)
+        self.hit = false
+        self.miss_reason = reason
+      end
+
+      def self.hit(env)
+        r = Result.new
+        r.preflight = false
+        r.hit = true
+        env[Rack::Cors::ENV_KEY] = r
+      end
+
+      def self.miss(env, reason)
+        r = Result.new
+        r.preflight = false
+        r.hit = false
+        r.miss_reason = reason
+        env[Rack::Cors::ENV_KEY] = r
+      end
+
+      def self.preflight(env)
+        r = Result.new
+        r.preflight = true
+        env[Rack::Cors::ENV_KEY] = r
+      end
+
+      def append_header(headers)
+        headers[HEADER_KEY] = if hit?
+                                preflight? ? 'preflight-hit' : 'hit'
+                              else
+                                [
+                                  (preflight? ? 'preflight-miss' : 'miss'),
+                                  miss_reason
+                                ].join('; ')
+                              end
+      end
+    end
+  end
+end

data/lib/rack/cors/version.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 module Rack
   class Cors
-    VERSION = "1.1.1"
+    VERSION = '2.0.0.rc1'
   end
 end