rack-cors 0.2.9 → 0.3.0

checksums.yaml

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    OTQyY2Q0OGNmOGZjMWNhOTc0OTdmOTY3ZTk0NDY0NzhmODE5YTI5Yg==
-  data.tar.gz: !binary |-
-    ZDQyMTJlMTg3MDczMmE0ZjFkMmZjOGExMGU3NDE0NmQ2MGY1YzBlZQ==
+SHA1:
+  metadata.gz: 7fa6e09583a5f2886f25edeea60c8684dd4570e2
+  data.tar.gz: d6527b5970f02a3a43dfc305cf8c3edde91ae00b
 SHA512:
-  metadata.gz: !binary |-
-    NGViNTEzOTIzZjc2ZjVhNjZkZDBmODQ5NzAzNzk3ZThiYzZkMGU2YTU3MmUx
-    NDc3ODlkMTIwNjFmNGZhOWUwZmNjMmEyN2YxZWQ1NTA3NDU3NjEzMGYyNDdi
-    NTM4ZTI3NmQ4ZTE1MmNjOGY5ZTBlNDk2YTQyZDQ0NzA5ZTc2NTE=
-  data.tar.gz: !binary |-
-    NGIwN2QwMjQ1OTQwNzY3M2MzYWFiNWI0Y2RjMjVmMTEzMTk3YjE1ZGJhNjQw
-    YzRjNzhkZTRmZGExYjU2YzU5Y2Q4OTkyNzAyYTFhODRmNGViOGI0MTQyNmNh
-    MjAwYjUxZjRkMGZjMjRmMDJhYjRiOWU2ZmNjNTFjNmEzZTY2YWQ=
+  metadata.gz: 6b4048b21713e5b87d4fca48995253fb500e28e82e38a57a6af489bfa0989706e6cb008f9894d2d87c7b5c7dc215aa32fdfcb3d65748cf5152a79e8c59e1813f
+  data.tar.gz: dd9967c547e09f5eebecc4dfcaf1fab6f16395786af08f8c0dbb09d92e3c6c5400c5d828536b5e66588086c9d9fd1e5af7cfcdebe438c92689b7c2bf066421fd

data/CHANGELOG

@@ -0,0 +1,15 @@
+# Change Log
+All notable changes to this project will be documented in this file.
+
+## 0.3.0 - 2014-10-19
+### Added
+- Added support for defining a logger with a Proc
+- Return a X-Rack-CORS header when in debug mode detailing how
+Rack::Cors processed a request
+- Added support for non HTTP/HTTPS origins when just a domain is
+is specified
+
+### Changed
+- Changed the log level of the fallback logger to DEBUG
+- Print warning when attempting to use :any as an allowed method
+- Treat incoming `Origin: null` headers as file://

data/README.md

@@ -0,0 +1,113 @@
+# Rack CORS Middleware [![Build Status](https://travis-ci.org/cyu/rack-cors.svg?branch=master)](https://travis-ci.org/cyu/rack-cors)
+
+`Rack::Cors` provides support for Cross-Origin Resource Sharing (CORS) for Rack compatible web applications.  
+
+The [CORS spec](http://www.w3.org/TR/cors/) allows web applications to make cross domain AJAX calls without using workarounds such as JSONP. See [Cross-domain Ajax with Cross-Origin Resource Sharing](http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/)
+
+## Installation
+
+Install the gem:
+
+`gem install rack-cors`
+
+Or in your Gemfile:
+
+```ruby
+gem 'rack-cors', :require => 'rack/cors'
+```
+
+
+## Configuration
+
+### Rack
+
+In `config.ru`, configure `Rack::Cors` by passing a block to the `use` command:
+
+```ruby
+use Rack::Cors do
+  allow do
+    origins 'localhost:3000', '127.0.0.1:3000',
+            /http:\/\/192\.168\.0\.\d{1,3}(:\d+)?/
+            # regular expressions can be used here
+
+    resource '/file/list_all/', :headers => 'x-domain-token'
+    resource '/file/at/*',
+        :methods => [:get, :post, :put, :delete, :options],
+        :headers => 'x-domain-token',
+        :expose  => ['Some-Custom-Response-Header'],
+        :max_age => 600
+        # headers to expose
+  end
+
+  allow do
+    origins '*'
+    resource '/public/*', :headers => :any, :methods => :get
+  end
+end
+```
+
+### Rails
+Put something like the code below in `config/application.rb` of your Rails application. For example, this will allow GET, POST or OPTIONS requests from any origin on any resource.
+
+```ruby
+module YourApp
+  class Application < Rails::Application
+
+    # ...
+
+    config.middleware.insert_before 0, "Rack::Cors" do
+      allow do
+        origins '*'
+        resource '*', :headers => :any, :methods => [:get, :post, :options]
+      end
+    end
+      
+  end
+end
+```
+Refer to [rails 3 example](https://github.com/cyu/rack-cors/tree/master/examples/rails3) and [rails 4 example](https://github.com/cyu/rack-cors/tree/master/examples/rails4) for more details.
+
+See The [Rails Guide to Rack](http://guides.rubyonrails.org/rails_on_rack.html) for more details on rack middlewares or watch the [railscast](http://railscasts.com/episodes/151-rack-middleware.)
+
+### Configuration Reference
+
+#### Middleware Options
+* **debug** (boolean):  Enables debug logging and `X-Rack-CORS` HTTP headers for debugging.
+* **logger** (Object or Proc): Specify the logger to log to.  If a proc is provided, it will be called when a logger is needed (this is helpful in cases where the logger is initialized after `Rack::Cors` is used, like `Rails.logger`.
+
+#### Origin
+Origins can be specified as a string, a regular expression, or as '*' to allow all origins.
+
+#### Resource
+A Resource path can be specified as exact string match (`/path/to/file.txt`) or with a '*' wildcard (`/all/files/in/*`).  A resource that take the following options:
+
+* **methods** (string or array): The HTTP methods allowed for the resource.
+* **headers** (string or array or `:any`): The HTTP headers that will be allowed in the CORS resource request.  Use `:any` to allow for any headers in the actual request.
+* **expose** (string or an array): The HTTP headers in the resource response can can be exposed to the client.
+* **credentials** (boolean): Sets the `Access-Control-Allow-Credentials` response header.
+* **max_age** (number): Sets the `Access-Control-Max-Age` response header.
+
+
+## Common Gotchas
+
+Incorrect positioning of `Rack::Cors` in the middleware stack can produce unexpected results.  The Rails example above will put it above all middleware which should cover most issues.
+
+Here are some common cases:
+
+* **Serving static files.**  Insert this middleware before `ActionDispatch::Static` so that static files are served with the proper CORS headers (see note below for a caveat).  **NOTE:** that this might not work in production environments as static files are usually served from the web server (Nginx, Apache) and not the Rails container.
+
+* **Caching in the middleware.**  Insert this middleware before `Rack::Cache` so that the proper CORS headers are written and not cached ones.
+
+* **Authentication via Warden**  Warden will return immediately if a resource that requires authentication is accessed without authentication.  If `Warden::Manager`is in the stack before `Rack::Cors`, it will return without the correct CORS headers being applied, resulting in a failed CORS request.  Be sure to insert this middleware before 'Warden::Manager`.
+
+To determine where to put the CORS middleware in the Rack stack, run the following command:
+
+```bash
+bundle exec rake middleware
+```
+
+In many cases, the Rack stack will be different running in production environments.  For example, the `ActionDispatch::Static` middleware will not be part of the stack if `config.serve_static_assets = false`.  You can run the following command to see what your middleware stack looks like in production:
+
+```bash
+bundle exec RAILS_ENV=production rake middleware
+```

data/lib/rack/cors.rb

@@ -2,11 +2,23 @@ require 'logger'
 
 module Rack
   class Cors
+    ENV_KEY    = 'X_RACK_CORS'.freeze
+
+    ORIGIN_HEADER_KEY     = 'HTTP_ORIGIN'.freeze
+    PATH_INFO_HEADER_KEY  = 'PATH_INFO'.freeze
+
     def initialize(app, opts={}, &block)
       @app = app
-      @logger = opts[:logger]
       @debug_mode = !!opts[:debug]
 
+      if logger = opts[:logger]
+        if logger.respond_to? :call
+          @logger_proc = opts[:logger]
+        else
+          @logger = logger
+        end
+      end
+
       if block_given?
         if block.arity == 1
           block.call(self)
@@ -16,6 +28,10 @@ module Rack
       end
     end
 
+    def debug?
+      @debug_mode
+    end
+
     def allow(&block)
       all_resources << (resources = Resources.new)
 
@@ -27,14 +43,13 @@ module Rack
     end
 
     def call(env)
-      env['HTTP_ORIGIN'] = 'file://' if env['HTTP_ORIGIN'] == 'null'
-      env['HTTP_ORIGIN'] ||= env['HTTP_X_ORIGIN']
+      env[ORIGIN_HEADER_KEY] ||= env['HTTP_X_ORIGIN']
 
-      cors_headers = nil
-      if env['HTTP_ORIGIN']
+      add_headers = nil
+      if env[ORIGIN_HEADER_KEY]
         debug(env) do
           [ 'Incoming Headers:',
-            "  Origin: #{env['HTTP_ORIGIN']}",
+            "  Origin: #{env[ORIGIN_HEADER_KEY]}",
             "  Access-Control-Request-Method: #{env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']}",
             "  Access-Control-Request-Headers: #{env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}"
             ].join("\n")
@@ -48,12 +63,16 @@ module Rack
             return [200, headers, []]
           end
         else
-          cors_headers = process_cors(env)
+          add_headers = process_cors(env)
         end
+      else
+        Result.miss(env, Result::MISS_NO_ORIGIN)
       end
+
       status, headers, body = @app.call env
-      if cors_headers
-        headers = headers.merge(cors_headers)
+
+      if add_headers
+        headers = headers.merge(add_headers)
 
         # http://www.w3.org/TR/cors/#resource-implementation
         unless headers['Access-Control-Allow-Origin'] == '*'
@@ -61,16 +80,33 @@ module Rack
           headers['Vary'] = ((vary ? vary.split(/,\s*/) : []) + ['Origin']).uniq.join(', ')
         end
       end
+
+      if debug? && result = env[ENV_KEY]
+        result.append_header(headers)
+      end
+
       [status, headers, body]
     end
 
     protected
       def debug(env, message = nil, &block)
-        if @debug_mode
-          logger = @logger || env['rack.logger'] || begin
-            @logger = ::Logger.new(STDOUT).tap {|logger| logger.level = ::Logger::Severity::INFO}
-          end
-          logger.debug(message, &block)
+        (@logger || select_logger(env)).debug(message, &block) if debug?
+      end
+
+      def select_logger(env)
+        @logger = if @logger_proc
+          logger_proc = @logger_proc
+          @logger_proc = nil
+          logger_proc.call
+
+        elsif defined?(Rails) && Rails.logger
+          Rails.logger
+
+        elsif env['rack.logger']
+          env['rack.logger']
+
+        else
+          ::Logger.new(STDOUT).tap { |logger| logger.level = ::Logger::Severity::DEBUG }
         end
       end
 
@@ -79,22 +115,104 @@ module Rack
       end
 
       def process_preflight(env)
-        resource = find_resource(env['HTTP_ORIGIN'], env['PATH_INFO'],env)
-        resource && resource.process_preflight(env)
+        resource, error = find_resource(env)
+        if resource
+          Result.preflight_hit(env)
+          preflight = resource.process_preflight(env)
+          preflight
+
+        else
+          Result.preflight_miss(env, error)
+          nil
+        end
       end
 
       def process_cors(env)
-        resource = find_resource(env['HTTP_ORIGIN'], env['PATH_INFO'],env)
-        resource.to_headers(env) if resource
+        resource, error = find_resource(env)
+        if resource
+          Result.hit(env)
+          cors = resource.to_headers(env)
+          cors
+
+        else
+          Result.miss(env, error)
+          nil
+        end
       end
 
-      def find_resource(origin, path, env)
+      def find_resource(env)
+        path   = env[PATH_INFO_HEADER_KEY]
+        origin = env[ORIGIN_HEADER_KEY]
+
+        origin_matched = false
         all_resources.each do |r|
-          if r.allow_origin?(origin, env) and found = r.find_resource(path)
-            return found
+          if r.allow_origin?(origin, env)
+            origin_matched = true
+            if found = r.find_resource(path)
+              return [found, nil]
+            end
+          end
+        end
+
+        [nil, origin_matched ? Result::MISS_NO_PATH : Result::MISS_NO_ORIGIN]
+      end
+
+      class Result
+        HEADER_KEY = 'X-Rack-CORS'.freeze
+
+        MISS_NO_ORIGIN = 'no-origin'.freeze
+        MISS_NO_PATH   = 'no-path'.freeze
+
+        attr_accessor :preflight, :hit, :miss_reason
+
+        def hit?
+          !!hit
+        end
+
+        def preflight?
+          !!preflight
+        end
+
+        def self.hit(env)
+          r = Result.new
+          r.preflight = false
+          r.hit = true
+          env[ENV_KEY] = r
+        end
+
+        def self.miss(env, reason)
+          r = Result.new
+          r.preflight = false
+          r.hit = false
+          r.miss_reason = reason
+          env[ENV_KEY] = r
+        end
+
+        def self.preflight_hit(env)
+          r = Result.new
+          r.preflight = true
+          r.hit = true
+          env[ENV_KEY] = r
+        end
+
+        def self.preflight_miss(env, reason)
+          r = Result.new
+          r.preflight = true
+          r.hit = false
+          r.miss_reason = reason
+          env[ENV_KEY] = r
+        end
+
+        def append_header(headers)
+          headers[HEADER_KEY] = if hit?
+            preflight? ? 'preflight-hit' : 'hit'
+          else
+            [
+              (preflight? ? 'preflight-miss' : 'preflight-hit'),
+              miss_reason
+            ].join('; ')
           end
         end
-        nil
       end
 
       class Resources
@@ -104,13 +222,14 @@ module Rack
           @public_resources = false
         end
 
-        def origins(*args,&blk)
+        def origins(*args, &blk)
           @origins = args.flatten.collect do |n|
             case n
-            when Regexp, /^https?:\/\// then n
-            when 'file://'              then n
-            when '*'                    then @public_resources = true; n
-            else                        ["http://#{n}", "https://#{n}"]
+            when Regexp,
+                 /^https?:\/\//,
+                 'file://'        then n
+            when '*'              then @public_resources = true; n
+            else                  Regexp.compile("^[a-z][a-z0-9.+-]*:\\\/\\\/#{Regexp.quote(n)}")
             end
           end.flatten
           @origins.push(blk) if blk
@@ -126,11 +245,14 @@ module Rack
 
         def allow_origin?(source,env = {})
           return true if public_resources?
+
+          effective_source = (source == 'null' ? 'file://' : source)
+
           return !! @origins.detect do |origin|
             if origin.is_a?(Proc)
               origin.call(source,env)
             else
-              origin === source
+              origin === effective_source
             end
           end
         end
@@ -145,7 +267,7 @@ module Rack
 
         def initialize(public_resource, path, opts={})
           self.path        = path
-          self.methods     = ensure_enum(opts[:methods]) || [:get]
+          self.methods     = prepare_and_validate_methods_option(opts[:methods]) || [:get]
           self.credentials = opts[:credentials].nil? ? true : opts[:credentials]
           self.max_age     = opts[:max_age] || 1728000
           self.pattern     = compile(path)
@@ -173,7 +295,7 @@ module Rack
         def to_headers(env)
           x_origin = env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']
           h = {
-            'Access-Control-Allow-Origin'     => origin_for_response_header(env['HTTP_ORIGIN']),
+            'Access-Control-Allow-Origin'     => origin_for_response_header(env[ORIGIN_HEADER_KEY]),
             'Access-Control-Allow-Methods'    => methods.collect{|m| m.to_s.upcase}.join(', '),
             'Access-Control-Expose-Headers'   => expose.nil? ? '' : expose.join(', '),
             'Access-Control-Max-Age'          => max_age.to_s }
@@ -188,7 +310,7 @@ module Rack
 
           def origin_for_response_header(origin)
             return '*' if public_resource? && !credentials
-            origin == 'file://' ? 'null' : origin
+            origin
           end
 
           def to_preflight_headers(env)
@@ -217,6 +339,11 @@ module Rack
             end
           end
 
+          def prepare_and_validate_methods_option setting
+            raise ArgumentError.new("rack-cors methods must be an single HTTP verb, or an array of verbs") if setting && setting == :any
+            ensure_enum setting
+          end
+
           def ensure_enum(v)
             return nil if v.nil?
             [v].flatten

data/lib/rack/cors/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class Cors
-    VERSION = "0.2.9"
+    VERSION = "0.3.0"
   end
 end

data/rack-cors.gemspec

@@ -8,9 +8,9 @@ Gem::Specification.new do |spec|
   spec.version       = Rack::Cors::VERSION
   spec.authors       = ["Calvin Yu"]
   spec.email         = ["me@sourcebender.com"]
-  spec.description   = %q{Middleware that will make Rack-based apps CORS compatible.  Read more here: http://blog.sourcebender.com/2010/06/09/introducin-rack-cors.html.  Fork the project here: http://github.com/cyu/rack-cors}
+  spec.description   = %q{Middleware that will make Rack-based apps CORS compatible.  Read more here: http://blog.sourcebender.com/2010/06/09/introducin-rack-cors.html.  Fork the project here: https://github.com/cyu/rack-cors}
   spec.summary       = %q{Middleware for enabling Cross-Origin Resource Sharing in Rack apps}
-  spec.homepage      = "http://github.com/cyu/rack-cors"
+  spec.homepage      = "https://github.com/cyu/rack-cors"
   spec.license       = "MIT"
 
   spec.files         = `git ls-files`.split($/).reject { |f| f == '.gitignore' or f =~ /^examples/ }
@@ -20,7 +20,7 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency "bundler", "~> 1.3"
   spec.add_development_dependency "rake"
-  spec.add_development_dependency "shoulda", ">= 0"
+  spec.add_development_dependency "minitest", ">= 5.3.0"
   spec.add_development_dependency "mocha", ">= 0.14.0"
   spec.add_development_dependency "rack-test", ">= 0"
 end

data/test/cors/test.cors.coffee

@@ -7,6 +7,26 @@ describe 'CORS', ->
       expect(data).to.eql('Hello world')
       done()
 
+  it 'should allow PUT access to dynamic resource', (done) ->
+    $.ajax("http://#{CORS_SERVER}/", type: 'PUT').done (data, textStatus, jqXHR) ->
+      expect(data).to.eql('Hello world')
+      done()
+
+  it 'should allow HEAD access to dynamic resource', (done) ->
+    $.ajax("http://#{CORS_SERVER}/", type: 'HEAD').done (data, textStatus, jqXHR) ->
+      expect(jqXHR.status).to.eql(200)
+      done()
+
+  it 'should allow DELETE access to dynamic resource', (done) ->
+    $.ajax("http://#{CORS_SERVER}/", type: 'DELETE').done (data, textStatus, jqXHR) ->
+      expect(data).to.eql('Hello world')
+      done()
+
+  it 'should allow OPTIONS access to dynamic resource', (done) ->
+    $.ajax("http://#{CORS_SERVER}/", type: 'OPTIONS').done (data, textStatus, jqXHR) ->
+      expect(jqXHR.status).to.eql(200)
+      done()
+
   it 'should allow access to static resource', (done) ->
     $.get "http://#{CORS_SERVER}/static.txt", (data, status, xhr) ->
       expect($.trim(data)).to.eql("hello world")
@@ -20,4 +40,3 @@ describe 'CORS', ->
       success:(data, status, xhr) ->
         expect($.trim(data)).to.eql("OK!")
         done()
-

data/test/cors/test.cors.js

@@ -1,3 +1,4 @@
+// Generated by CoffeeScript 1.7.1
 (function() {
   var CORS_SERVER;
 
@@ -10,6 +11,38 @@
         return done();
       });
     });
+    it('should allow PUT access to dynamic resource', function(done) {
+      return $.ajax("http://" + CORS_SERVER + "/", {
+        type: 'PUT'
+      }).done(function(data, textStatus, jqXHR) {
+        expect(data).to.eql('Hello world');
+        return done();
+      });
+    });
+    it('should allow HEAD access to dynamic resource', function(done) {
+      return $.ajax("http://" + CORS_SERVER + "/", {
+        type: 'HEAD'
+      }).done(function(data, textStatus, jqXHR) {
+        expect(jqXHR.status).to.eql(200);
+        return done();
+      });
+    });
+    it('should allow DELETE access to dynamic resource', function(done) {
+      return $.ajax("http://" + CORS_SERVER + "/", {
+        type: 'DELETE'
+      }).done(function(data, textStatus, jqXHR) {
+        expect(data).to.eql('Hello world');
+        return done();
+      });
+    });
+    it('should allow OPTIONS access to dynamic resource', function(done) {
+      return $.ajax("http://" + CORS_SERVER + "/", {
+        type: 'OPTIONS'
+      }).done(function(data, textStatus, jqXHR) {
+        expect(jqXHR.status).to.eql(200);
+        return done();
+      });
+    });
     it('should allow access to static resource', function(done) {
       return $.get("http://" + CORS_SERVER + "/static.txt", function(data, status, xhr) {
         expect($.trim(data)).to.eql("hello world");

data/test/unit/cors_test.rb

@@ -1,9 +1,9 @@
 require 'rubygems'
-require 'test/unit'
+require 'minitest/autorun'
 require 'rack/test'
-require 'shoulda'
 require 'mocha/setup'
 require 'rack/cors'
+require 'ostruct'
 
 Rack::Test::Session.class_eval do
   def options(uri, params = {}, env = {}, &block)
@@ -16,149 +16,231 @@ Rack::Test::Methods.class_eval do
   def_delegator :current_session, :options
 end
 
-class CorsTest < Test::Unit::TestCase
+describe Rack::Cors do
   include Rack::Test::Methods
 
-  def app
-    eval "Rack::Builder.new {( " + File.read(File.dirname(__FILE__) + '/test.ru') + "\n )}"
+  attr_accessor :cors_result
+
+  def load_app(name)
+    test = self
+    Rack::Builder.new do
+      eval File.read(File.dirname(__FILE__) + "/#{name}.ru")
+      map('/') do
+        run proc { |env|
+          test.cors_result = env[Rack::Cors::ENV_KEY]
+          [200, {'Content-Type' => 'text/html'}, ['success']]
+        }
+      end
+    end
   end
 
-  should('support simple cors request') { cors_request }
+  let(:app) { load_app('test') }
 
-  should 'support OPTIONS cors request' do
+  it 'should support simple CORS request' do
+    cors_request
+    cors_result.must_be :hit
+  end
+
+  it "should not return CORS headers if Origin header isn't present" do
+    get '/'
+    should_render_cors_failure
+    cors_result.wont_be :hit
+  end
+
+  it 'should support OPTIONS CORS request' do
     cors_request '/options', :method => :options
   end
 
-  should 'support regex origins configuration' do
+  it 'should support regex origins configuration' do
     cors_request :origin => 'http://192.168.0.1:1234'
   end
 
-  should 'support proc origins configuration' do
+  it 'should support proc origins configuration' do
     cors_request '/proc-origin', :origin => 'http://10.10.10.10:3000'
   end
 
-  should 'support alternative X-Origin header' do
+  it 'should support alternative X-Origin header' do
     header 'X-Origin', 'http://localhost:3000'
     get '/'
-    assert_cors_success
+    should_render_cors_success
   end
 
-  should 'support expose header configuration' do
+  it 'should support expose header configuration' do
     cors_request '/expose_single_header'
-    assert_equal 'expose-test', last_response.headers['Access-Control-Expose-Headers']
+    last_response.headers['Access-Control-Expose-Headers'].must_equal 'expose-test'
   end
 
-  should 'support expose multiple header configuration' do
+  it 'should support expose multiple header configuration' do
     cors_request '/expose_multiple_headers'
-    assert_equal 'expose-test-1, expose-test-2', last_response.headers['Access-Control-Expose-Headers']
+    last_response.headers['Access-Control-Expose-Headers'].must_equal 'expose-test-1, expose-test-2'
   end
 
-  should 'add Vary header if Access-Control-Allow-Origin header was added and if it is specific' do
+  it 'should add Vary header if Access-Control-Allow-Origin header was added and if it is specific' do
     cors_request '/', :origin => "http://192.168.0.3:8080"
-    assert_cors_success
-    assert_equal 'http://192.168.0.3:8080', last_response.headers['Access-Control-Allow-Origin']
-    assert_not_nil last_response.headers['Vary'], 'missing Vary header'
+    last_response.headers['Access-Control-Allow-Origin'].must_equal 'http://192.168.0.3:8080'
+    last_response.headers['Vary'].wont_be_nil
   end
 
-  should 'not add Vary header if Access-Control-Allow-Origin header was added and if it is generic (*)' do
+  it 'should not add Vary header if Access-Control-Allow-Origin header was added and if it is generic (*)' do
     cors_request '/public_without_credentials', :origin => "http://192.168.1.3:8080"
-    assert_cors_success
-    assert_equal '*', last_response.headers['Access-Control-Allow-Origin']
-    assert_nil last_response.headers['Vary'], 'no expecting Vary header'
+    last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
+    last_response.headers['Vary'].must_be_nil
   end
 
-  should 'support multi allow configurations for the same resource' do
+  it 'should support multi allow configurations for the same resource' do
     cors_request '/multi-allow-config', :origin => "http://mucho-grande.com"
-    assert_cors_success
-    assert_equal 'http://mucho-grande.com', last_response.headers['Access-Control-Allow-Origin']
-    assert_equal 'Origin', last_response.headers['Vary'], 'expecting Vary header'
+    last_response.headers['Access-Control-Allow-Origin'].must_equal 'http://mucho-grande.com'
+    last_response.headers['Vary'].must_equal 'Origin'
 
     cors_request '/multi-allow-config', :origin => "http://192.168.1.3:8080"
-    assert_cors_success
-    assert_equal '*', last_response.headers['Access-Control-Allow-Origin']
-    assert_nil last_response.headers['Vary'], 'no expecting Vary header'
+    last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
+    last_response.headers['Vary'].must_be_nil
   end
 
-  should 'not log debug messages if debug option is false' do
-    app = mock
-    app.stubs(:call).returns(200, {}, [''])
+  it "should not return CORS headers on OPTIONS request if Access-Control-Allow-Origin is not present" do
+    options '/get-only'
+    last_response.headers['Access-Control-Allow-Origin'].must_be_nil
+  end
 
-    logger = mock
-    logger.expects(:debug).never
+  describe 'logging' do
+    it 'should not log debug messages if debug option is false' do
+      app = mock
+      app.stubs(:call).returns(200, {}, [''])
 
-    cors = Rack::Cors.new(app, :debug => false, :logger => logger) {}
-    cors.send(:debug, {}, 'testing')
-  end
+      logger = mock
+      logger.expects(:debug).never
+
+      cors = Rack::Cors.new(app, :debug => false, :logger => logger) {}
+      cors.send(:debug, {}, 'testing')
+    end
+
+    it 'should log debug messages if debug option is true' do
+      app = mock
+      app.stubs(:call).returns(200, {}, [''])
+
+      logger = mock
+      logger.expects(:debug)
+
+      cors = Rack::Cors.new(app, :debug => true, :logger => logger) {}
+      cors.send(:debug, {}, 'testing')
+    end
+
+    it 'should use rack.logger if available' do
+      app = mock
+      app.stubs(:call).returns([200, {}, ['']])
+
+      logger = mock
+      logger.expects(:debug).at_least_once
 
-  should 'log debug messages if debug option is true' do
-    app = mock
-    app.stubs(:call).returns(200, {}, [''])
+      cors = Rack::Cors.new(app, :debug => true) {}
+      cors.call({'rack.logger' => logger, 'HTTP_ORIGIN' => 'test.com'})
+    end
+
+    it 'should use logger proc' do
+      app = mock
+      app.stubs(:call).returns([200, {}, ['']])
+
+      logger = mock
+      logger.expects(:debug)
+
+      cors = Rack::Cors.new(app, :debug => true, :logger => proc { logger }) {}
+      cors.call({'HTTP_ORIGIN' => 'test.com'})
+    end
+
+    describe 'with Rails setup' do
+      after do
+        ::Rails.logger = nil if defined?(::Rails)
+      end
+
+      it 'should use Rails.logger if available' do
+        app = mock
+        app.stubs(:call).returns([200, {}, ['']])
+
+        logger = mock
+        logger.expects(:debug)
 
-    logger = mock
-    logger.expects(:debug)
+        ::Rails = OpenStruct.new(:logger => logger)
 
-    cors = Rack::Cors.new(app, :debug => true, :logger => logger) {}
-    cors.send(:debug, {}, 'testing')
+        cors = Rack::Cors.new(app, :debug => true) {}
+        cors.call({'HTTP_ORIGIN' => 'test.com'})
+      end
+    end
   end
 
-  context 'preflight requests' do
-    should 'fail if origin is invalid' do
+  describe 'preflight requests' do
+    it 'should fail if origin is invalid' do
       preflight_request('http://allyourdataarebelongtous.com', '/')
-      assert_cors_failure
+      should_render_cors_failure
+      cors_result.wont_be :hit
+      cors_result.must_be :preflight
     end
 
-    should 'fail if Access-Control-Request-Method is not allowed' do
+    it 'should fail if Access-Control-Request-Method is not allowed' do
       preflight_request('http://localhost:3000', '/get-only', :method => :post)
-      assert_cors_failure
+      should_render_cors_failure
     end
 
-    should 'fail if header is not allowed' do
+    it 'should fail if header is not allowed' do
       preflight_request('http://localhost:3000', '/single_header', :headers => 'Fooey')
-      assert_cors_failure
+      should_render_cors_failure
     end
 
-    should 'allow any header if headers = :any' do
+    it 'should allow any header if headers = :any' do
       preflight_request('http://localhost:3000', '/', :headers => 'Fooey')
-      assert_cors_success
+      should_render_cors_success
     end
 
-    should 'allow header case insensitive match' do
+    it 'should allow header case insensitive match' do
       preflight_request('http://localhost:3000', '/single_header', :headers => 'X-Domain-Token')
-      assert_cors_success
+      should_render_cors_success
     end
 
-    should 'allow multiple headers match' do
+    it 'should allow multiple headers match' do
       # Webkit style
       preflight_request('http://localhost:3000', '/two_headers', :headers => 'X-Requested-With, X-Domain-Token')
-      assert_cors_success
+      should_render_cors_success
 
       # Gecko style
       preflight_request('http://localhost:3000', '/two_headers', :headers => 'x-requested-with,x-domain-token')
-      assert_cors_success
+      should_render_cors_success
     end
 
-    should '* origin should allow any origin' do
+    it 'should * origin should allow any origin' do
       preflight_request('http://locohost:3000', '/public')
-      assert_cors_success
-      assert_equal 'http://locohost:3000', last_response.headers['Access-Control-Allow-Origin']
+      should_render_cors_success
+      last_response.headers['Access-Control-Allow-Origin'].must_equal 'http://locohost:3000'
     end
 
-    should '* origin should allow any origin, and set * if no credentials required' do
+    it 'should * origin should allow any origin, and set * if no credentials required' do
       preflight_request('http://locohost:3000', '/public_without_credentials')
-      assert_cors_success
-      assert_equal '*', last_response.headers['Access-Control-Allow-Origin']
+      should_render_cors_success
+      last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
     end
 
-    should '"null" origin, allowed as "file://", returned as "null" in header' do
+    it 'should "null" origin, allowed as "file://", returned as "null" in header' do
       preflight_request('null', '/')
-      assert_cors_success
-      assert_equal 'null', last_response.headers['Access-Control-Allow-Origin']
+      should_render_cors_success
+      last_response.headers['Access-Control-Allow-Origin'].must_equal 'null'
+    end
+
+    it 'should return "file://" as header with "file://" as origin' do
+      preflight_request('file://', '/')
+      should_render_cors_success
+      last_response.headers['Access-Control-Allow-Origin'].must_equal 'file://'
     end
 
-    should 'return a Content-Type' do
+    it 'should return a Content-Type' do
       preflight_request('http://localhost:3000', '/')
-      assert_cors_success
-      assert_not_nil last_response.headers['Content-Type']
+      should_render_cors_success
+      last_response.headers['Content-Type'].wont_be_nil
+    end
+  end
+
+  describe "with non HTTP config" do
+    let(:app) { load_app("non_http") }
+
+    it 'should support non http/https origins' do
+      cors_request '/public', origin: 'content://com.company.app'
     end
   end
 
@@ -170,8 +252,8 @@ class CorsTest < Test::Unit::TestCase
       opts.merge! args.last if args.last.is_a?(Hash)
 
       header 'Origin', opts[:origin]
-      current_session.__send__ opts[:method], path
-      assert_cors_success
+      current_session.__send__ opts[:method], path, {}, test: self
+      should_render_cors_success
     end
 
     def preflight_request(origin, path, opts = {})
@@ -185,11 +267,11 @@ class CorsTest < Test::Unit::TestCase
       options path
     end
 
-    def assert_cors_success
-      assert_not_nil last_response.headers['Access-Control-Allow-Origin'], 'missing Access-Control-Allow-Origin header'
+    def should_render_cors_success
+      last_response.headers['Access-Control-Allow-Origin'].wont_be_nil
     end
 
-    def assert_cors_failure
-      assert_nil last_response.headers['Access-Control-Allow-Origin'], 'no expecting Access-Control-Allow-Origin header'
+    def should_render_cors_failure
+      last_response.headers['Access-Control-Allow-Origin'].must_be_nil
     end
 end

data/test/unit/dsl_test.rb

@@ -1,11 +1,10 @@
 require 'rubygems'
-require 'test/unit'
+require 'minitest/autorun'
 require 'rack/cors'
-require 'shoulda'
 
 
-class DSLTest < Test::Unit::TestCase
-  should 'support explicit config object dsl mode' do
+describe Rack::Cors, 'DSL' do
+  it 'should support explicit config object dsl mode' do
     cors = Rack::Cors.new(Proc.new {}) do |cfg|
       cfg.allow do |allow|
         allow.origins 'localhost:3000', '127.0.0.1:3000' do |source,env|
@@ -17,15 +16,15 @@ class DSLTest < Test::Unit::TestCase
       end
     end
     resources = cors.send :all_resources
-    assert_equal 1, resources.length
-    assert resources.first.allow_origin?('http://localhost:3000')
 
-    assert  resources.first.allow_origin?('http://10.10.10.10:3000',{"USER_AGENT" => "test-agent" })
-    assert !resources.first.allow_origin?('http://10.10.10.10:3001',{"USER_AGENT" => "test-agent" })
-    assert !resources.first.allow_origin?('http://10.10.10.10:3000',{"USER_AGENT" => "other-agent"})
+    resources.length.must_equal 1
+    resources.first.allow_origin?('http://localhost:3000').must_equal true
+    resources.first.allow_origin?('http://10.10.10.10:3000',{"USER_AGENT" => "test-agent" }).must_equal true
+    resources.first.allow_origin?('http://10.10.10.10:3001',{"USER_AGENT" => "test-agent" }).wont_equal true
+    resources.first.allow_origin?('http://10.10.10.10:3000',{"USER_AGENT" => "other-agent"}).wont_equal true
   end
 
-  should 'support implicit config object dsl mode' do
+  it 'should support implicit config object dsl mode' do
     cors = Rack::Cors.new(Proc.new {}) do
       allow do
         origins 'localhost:3000', '127.0.0.1:3000' do |source,env|
@@ -37,15 +36,15 @@ class DSLTest < Test::Unit::TestCase
       end
     end
     resources = cors.send :all_resources
-    assert_equal 1, resources.length
-    assert resources.first.allow_origin?('http://localhost:3000')
 
-    assert  resources.first.allow_origin?('http://10.10.10.10:3000',{"USER_AGENT" => "test-agent" })
-    assert !resources.first.allow_origin?('http://10.10.10.10:3001',{"USER_AGENT" => "test-agent" })
-    assert !resources.first.allow_origin?('http://10.10.10.10:3000',{"USER_AGENT" => "other-agent"})
+    resources.length.must_equal 1
+    resources.first.allow_origin?('http://localhost:3000').must_equal true
+    resources.first.allow_origin?('http://10.10.10.10:3000',{"USER_AGENT" => "test-agent" }).must_equal true
+    resources.first.allow_origin?('http://10.10.10.10:3001',{"USER_AGENT" => "test-agent" }).wont_equal true
+    resources.first.allow_origin?('http://10.10.10.10:3000',{"USER_AGENT" => "other-agent"}).wont_equal true
   end
 
-  should 'support "file://" origin' do
+  it 'should support "file://" origin' do
     cors = Rack::Cors.new(Proc.new {}) do
       allow do
         origins 'file://'
@@ -53,6 +52,7 @@ class DSLTest < Test::Unit::TestCase
       end
     end
     resources = cors.send :all_resources
-    assert resources.first.allow_origin?('file://')
+
+    resources.first.allow_origin?('file://').must_equal true
   end
 end

data/test/unit/non_http.ru

@@ -0,0 +1,8 @@
+require 'rack/cors'
+
+use Rack::Cors do
+  allow do
+    origins 'com.company.app'
+    resource '/public'
+  end
+end

data/test/unit/test.ru

@@ -41,7 +41,3 @@ use Rack::Cors do
     resource '/multi-allow-config', :max_age => 300, :credentials => false
   end
 end
-
-map '/' do
-  run Proc.new { |env| [200, {'Content-Type' => 'text/html'}, ['success']] }
-end

metadata

@@ -1,97 +1,98 @@
 --- !ruby/object:Gem::Specification
 name: rack-cors
 version: !ruby/object:Gem::Version
-  version: 0.2.9
+  version: 0.3.0
 platform: ruby
 authors:
 - Calvin Yu
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-11-12 00:00:00.000000000 Z
+date: 2014-12-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: shoulda
+  name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 5.3.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 5.3.0
 - !ruby/object:Gem::Dependency
   name: mocha
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 0.14.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 0.14.0
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: ! 'Middleware that will make Rack-based apps CORS compatible.  Read more
+description: 'Middleware that will make Rack-based apps CORS compatible.  Read more
   here: http://blog.sourcebender.com/2010/06/09/introducin-rack-cors.html.  Fork the
-  project here: http://github.com/cyu/rack-cors'
+  project here: https://github.com/cyu/rack-cors'
 email:
 - me@sourcebender.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- CHANGELOG
 - Gemfile
 - LICENSE.txt
-- README.rdoc
+- README.md
 - Rakefile
 - lib/rack/cors.rb
 - lib/rack/cors/version.rb
@@ -104,8 +105,9 @@ files:
 - test/cors/test.cors.js
 - test/unit/cors_test.rb
 - test/unit/dsl_test.rb
+- test/unit/non_http.ru
 - test/unit/test.ru
-homepage: http://github.com/cyu/rack-cors
+homepage: https://github.com/cyu/rack-cors
 licenses:
 - MIT
 metadata: {}
@@ -115,17 +117,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.1.9
+rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: Middleware for enabling Cross-Origin Resource Sharing in Rack apps
@@ -138,4 +140,5 @@ test_files:
 - test/cors/test.cors.js
 - test/unit/cors_test.rb
 - test/unit/dsl_test.rb
+- test/unit/non_http.ru
 - test/unit/test.ru

data/README.rdoc

@@ -1,66 +0,0 @@
-= Rack CORS Middleware
-
-Rack::Cors provides support for Cross-Origin Resource Sharing (CORS) for Rack compatible web applications.  The CORS spec allows web applications to make cross domain AJAX calls without
-using workarounds such as JSONP.  For a thorough write up on CORS, see this blog post:
-
-http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/
-
-Or for all the gory details, you can read the spec here:
-
-http://www.w3.org/TR/access-control/#simple-cross-origin-request-and-actual-r
-
-
-Install the gem:
-
-  gem install rack-cors
-
-In your Gemfile:
-
-  gem 'rack-cors', :require => 'rack/cors'
-
-
-== Configuration
-
-You configure Rack::Cors by passing a block to the <tt>use</tt> command:
-
-  use Rack::Cors do
-    allow do
-      origins 'localhost:3000', '127.0.0.1:3000',
-              /http:\/\/192\.168\.0\.\d{1,3}(:\d+)?/
-              # regular expressions can be used here
-
-      resource '/file/list_all/', :headers => 'x-domain-token'
-      resource '/file/at/*',
-          :methods => [:get, :post, :put, :delete, :options],
-          :headers => 'x-domain-token',
-          :expose  => ['Some-Custom-Response-Header'],
-          :max_age => 600
-          # headers to expose
-    end
-
-    allow do
-      origins '*'
-      resource '/public/*', :headers => :any, :methods => :get
-    end
-  end
-
-Put your code in "config/application.rb" on your rails application. For example, this will allow
-from any origins on any resource of your application, methods :get, :post and :options.
-
-  module YourApp
-    class Application < Rails::Application
-
-      # ...
-
-      config.middleware.use Rack::Cors do
-        allow do
-          origins '*'
-          resource '*', :headers => :any, :methods => [:get, :post, :options]
-        end
-      end
-      
-    end
-  end
-
-See http://guides.rubyonrails.org/rails_on_rack.html for more details on rack middlewares or
-http://railscasts.com/episodes/151-rack-middleware.