RubyGems - rack-cors - Versions diffs - 0.4.0 → 0.4.1 - Mend

rack-cors 0.4.0 → 0.4.1

Potentially problematic release.

This version of rack-cors might be problematic. Click here for more details.

Files changed (10) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7dff10b0f517624773d305e553e1f6720dc576ac
-  data.tar.gz: 0919837eb9b79cedeb5c638ae9e9169ae4587dd6
+  metadata.gz: aaa518c3408420a39bd3c41bd822cdda6309beb2
+  data.tar.gz: 8fa4c9d5141e4d6c4df8600175f44ba6803ebe9f
 SHA512:
-  metadata.gz: acf2fa484542085cd98d4e4eafd9a62d9bf38a156e67015829c1c58ba8b899866afb6489f5202122ad2f7b4f70e9bd0c69253590dfb7c52c43095168d67f79bd
-  data.tar.gz: 3b40c2862c728310236da3070f061b040c8090068142ffe0decdd16d66f3cdf83e4520ccf07c6cde38bb43b95cd8e7d38d6f4cbb6a1e4d06d4eb2324901ff531
+  metadata.gz: 633c772b16e08fad8fb93a7d1bf5d62a398abb534a27ce0d44df843242c5e1077112e98b1eb7e2d3849da952fec1754cd2e8451195c1a2c86ac567d69652b859
+  data.tar.gz: 8e0265d2d82db72ac68871dcf0eaf974809638d5a52514f99392b731fe09050ab07968c5e538a35d7bba2b7892cc62b3d6b7b401fe8a05c4648f5ad57a092abf

data/.travis.yml ADDED

@@ -0,0 +1,6 @@
+language: ruby
+sudo: false
+rvm:
+  - 2.2.5
+  - 2.3.0
+  - 2.3.1

data/CHANGELOG CHANGED

@@ -1,6 +1,10 @@
 # Change Log
 All notable changes to this project will be documented in this file.
+## 0.4.1 - 2017-02-01
+### Fixed
+- Return miss result in X-Rack-CORS instead of incorrectly returning preflight-hit
 ## 0.4.0 - 2015-04-15
 ### Changed
 - Don't set HTTP_ORIGIN with HTTP_X_ORIGIN if nil

data/Gemfile CHANGED

@@ -2,3 +2,5 @@ source 'https://rubygems.org'
 # Specify your gem's dependencies in rack-cors.gemspec
 gemspec
+gem 'pry-byebug'

data/README.md CHANGED

@@ -1,6 +1,6 @@
 # Rack CORS Middleware [![Build Status](https://travis-ci.org/cyu/rack-cors.svg?branch=master)](https://travis-ci.org/cyu/rack-cors)
-`Rack::Cors` provides support for Cross-Origin Resource Sharing (CORS) for Rack compatible web applications.
+`Rack::Cors` provides support for Cross-Origin Resource Sharing (CORS) for Rack compatible web applications.
 The [CORS spec](http://www.w3.org/TR/cors/) allows web applications to make cross domain AJAX calls without using workarounds such as JSONP. See [Cross-domain Ajax with Cross-Origin Resource Sharing](http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/)
@@ -19,7 +19,43 @@ gem 'rack-cors', :require => 'rack/cors'
 ## Configuration
-### Rack
+### Rails Configuration
+Put something like the code below in `config/application.rb` of your Rails application. For example, this will allow GET, POST or OPTIONS requests from any origin on any resource.
+```ruby
+module YourApp
+  class Application < Rails::Application
+    # ...
+    # Rails 3/4
+    config.middleware.insert_before 0, "Rack::Cors" do
+      allow do
+        origins '*'
+        resource '*', :headers => :any, :methods => [:get, :post, :options]
+      end
+    end
+    # Rails 5
+    config.middleware.insert_before 0, Rack::Cors do
+      allow do
+        origins '*'
+        resource '*', :headers => :any, :methods => [:get, :post, :options]
+      end
+    end
+  end
+end
+```
+Refer to [rails 3 example](https://github.com/cyu/rack-cors/tree/master/examples/rails3) and [rails 4 example](https://github.com/cyu/rack-cors/tree/master/examples/rails4) for more details.
+See The [Rails Guide to Rack](http://guides.rubyonrails.org/rails_on_rack.html) for more details on rack middlewares or watch the [railscast](http://railscasts.com/episodes/151-rack-middleware).
+### Rack Configuration
+NOTE: If you're running Rails, updating in `config/application.rb` should be enough.  There is no need to update `config.ru` as well.
 In `config.ru`, configure `Rack::Cors` by passing a block to the `use` command:
@@ -27,12 +63,12 @@ In `config.ru`, configure `Rack::Cors` by passing a block to the `use` command:
 use Rack::Cors do
   allow do
     origins 'localhost:3000', '127.0.0.1:3000',
-            /http:\/\/192\.168\.0\.\d{1,3}(:\d+)?/
+            /\Ahttp:\/\/192\.168\.0\.\d{1,3}(:\d+)?\z/
             # regular expressions can be used here
     resource '/file/list_all/', :headers => 'x-domain-token'
     resource '/file/at/*',
-        :methods => [:get, :post, :put, :delete, :options],
+        :methods => [:get, :post, :delete, :put, :patch, :options, :head],
         :headers => 'x-domain-token',
         :expose  => ['Some-Custom-Response-Header'],
         :max_age => 600
@@ -46,44 +82,28 @@ use Rack::Cors do
 end
 ```
-### Rails
-Put something like the code below in `config/application.rb` of your Rails application. For example, this will allow GET, POST or OPTIONS requests from any origin on any resource.
-```ruby
-module YourApp
-  class Application < Rails::Application
-    # ...
-    config.middleware.insert_before 0, "Rack::Cors" do
-      allow do
-        origins '*'
-        resource '*', :headers => :any, :methods => [:get, :post, :options]
-      end
-    end
-  end
-end
-```
-Refer to [rails 3 example](https://github.com/cyu/rack-cors/tree/master/examples/rails3) and [rails 4 example](https://github.com/cyu/rack-cors/tree/master/examples/rails4) for more details.
-See The [Rails Guide to Rack](http://guides.rubyonrails.org/rails_on_rack.html) for more details on rack middlewares or watch the [railscast](http://railscasts.com/episodes/151-rack-middleware.)
 ### Configuration Reference
 #### Middleware Options
 * **debug** (boolean):  Enables debug logging and `X-Rack-CORS` HTTP headers for debugging.
-* **logger** (Object or Proc): Specify the logger to log to.  If a proc is provided, it will be called when a logger is needed (this is helpful in cases where the logger is initialized after `Rack::Cors` is used, like `Rails.logger`.
+* **logger** (Object or Proc): Specify the logger to log to.  If a proc is provided, it will be called when a logger is needed.  This is helpful in cases where the logger is initialized after `Rack::Cors` is initially configured, like `Rails.logger`.
 #### Origin
-Origins can be specified as a string, a regular expression, or as '*' to allow all origins.
+Origins can be specified as a string, a regular expression, or as '\*' to allow all origins.
+**\*SECURITY NOTE:** Be careful when using regular expressions to not accidentally be too inclusive.  For example, the expression `/https:\/\/example\.com/` will match the domain *example.com.randomdomainname.co.uk*.  It is recommended that any regular expression be enclosed with start & end string anchors (`\A\z`).
+Additionally, origins can be specified dynamically via a block of the following form:
+```ruby
+  origins { |source, env| true || false }
+```
 #### Resource
-A Resource path can be specified as exact string match (`/path/to/file.txt`) or with a '*' wildcard (`/all/files/in/*`).  A resource that take the following options:
+A Resource path can be specified as exact string match (`/path/to/file.txt`) or with a '\*' wildcard (`/all/files/in/*`).  A resource can take the following options:
-* **methods** (string or array): The HTTP methods allowed for the resource.
+* **methods** (string or array or `:any`): The HTTP methods allowed for the resource.
 * **headers** (string or array or `:any`): The HTTP headers that will be allowed in the CORS resource request.  Use `:any` to allow for any headers in the actual request.
-* **expose** (string or array): The HTTP headers in the resource response can can be exposed to the client.
+* **expose** (string or array): The HTTP headers in the resource response can be exposed to the client.
 * **credentials** (boolean): Sets the `Access-Control-Allow-Credentials` response header.
 * **max_age** (number): Sets the `Access-Control-Max-Age` response header.
 * **if** (Proc): If the result of the proc is true, will process the request as a valid CORS request.

data/lib/rack/cors.rb CHANGED

@@ -13,6 +13,7 @@ module Rack
     def initialize(app, opts={}, &block)
       @app = app
       @debug_mode = !!opts[:debug]
+      @logger = @logger_proc = nil
       if logger = opts[:logger]
         if logger.respond_to? :call
@@ -80,7 +81,14 @@ module Rack
       status, headers, body = @app.call env
       if add_headers
-        headers = headers.merge(add_headers)
+        headers = add_headers.merge(headers)
+        debug(env) do
+          add_headers.each_pair do |key, value|
+            if headers.has_key?(key)
+              headers["X-Rack-CORS-Original-#{key}"] = value
+            end
+          end
+        end
       end
       # Vary header should ALWAYS mention Origin if there's ANY chance for the
@@ -232,7 +240,7 @@ module Rack
             preflight? ? 'preflight-hit' : 'hit'
           else
             [
-              (preflight? ? 'preflight-miss' : 'preflight-hit'),
+              (preflight? ? 'preflight-miss' : 'miss'),
               miss_reason
             ].join('; ')
           end
@@ -253,7 +261,7 @@ module Rack
                  /^https?:\/\//,
                  'file://'        then n
             when '*'              then @public_resources = true; n
-            else                  Regexp.compile("^[a-z][a-z0-9.+-]*:\\\/\\\/#{Regexp.quote(n)}")
+            else                  Regexp.compile("^[a-z][a-z0-9.+-]*:\\\/\\\/#{Regexp.quote(n)}$")
             end
           end.flatten
           @origins.push(blk) if blk
@@ -333,7 +341,6 @@ module Rack
         end
         def to_headers(env)
-          x_origin = env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']
           h = {
             'Access-Control-Allow-Origin'     => origin_for_response_header(env[ORIGIN_HEADER_KEY]),
             'Access-Control-Allow-Methods'    => methods.collect{|m| m.to_s.upcase}.join(', '),

data/lib/rack/cors/version.rb CHANGED

@@ -1,5 +1,5 @@
 module Rack
   class Cors
-    VERSION = "0.4.0"
+    VERSION = "0.4.1"
   end
 end

data/test/unit/cors_test.rb CHANGED

@@ -1,4 +1,3 @@
-require 'rubygems'
 require 'minitest/autorun'
 require 'rack/test'
 require 'mocha/setup'
@@ -6,9 +5,11 @@ require 'rack/cors'
 require 'ostruct'
 Rack::Test::Session.class_eval do
-  def options(uri, params = {}, env = {}, &block)
-    env = env_for(uri, env.merge(:method => "OPTIONS", :params => params))
-    process_request(uri, env, &block)
+  unless defined? :options
+    def options(uri, params = {}, env = {}, &block)
+      env = env_for(uri, env.merge(:method => "OPTIONS", :params => params))
+      process_request(uri, env, &block)
+    end
   end
 end
@@ -55,10 +56,20 @@ describe Rack::Cors do
     cors_request :origin => 'http://192.168.0.1:1234'
   end
+  it 'should support subdomain example' do
+    cors_request :origin => 'http://subdomain.example.com'
+  end
   it 'should support proc origins configuration' do
     cors_request '/proc-origin', :origin => 'http://10.10.10.10:3000'
   end
+  it 'should not mix up path rules across origins' do
+    header 'Origin', 'http://10.10.10.10:3000'
+    get '/' # / is configured in a separate rule block
+    should_render_cors_failure
+  end
   it 'should support alternative X-Origin header' do
     header 'X-Origin', 'http://localhost:3000'
     get '/'
@@ -287,6 +298,32 @@ describe Rack::Cors do
     end
   end
+  describe 'with app overriding CORS header' do
+    let(:app) do
+      Rack::Builder.new do
+        use Rack::Cors, debug: true, logger: Logger.new(StringIO.new) do
+          allow do
+            origins '*'
+            resource '/'
+          end
+        end
+        map('/') do
+          run ->(env) { [200, {'Content-Type' => 'text/plain', 'Access-Control-Allow-Origin' => 'http://foo.net'}, ['success']] }
+        end
+      end
+    end
+    it "should return app header" do
+      cors_request origin: "http://example.net"
+      last_response.headers['Access-Control-Allow-Origin'].must_equal "http://foo.net"
+    end
+    it "should return original headers if in debug" do
+      cors_request origin: "http://example.net"
+      last_response.headers['X-Rack-CORS-Original-Access-Control-Allow-Origin'].must_equal "http://example.net"
+    end
+  end
   protected
     def cors_request(*args)
       path = args.first.is_a?(String) ? args.first : '/'

data/test/unit/test.ru CHANGED

@@ -4,7 +4,11 @@ require 'rack/cors'
 use Rack::Lint
 use Rack::Cors do
   allow do
-    origins 'localhost:3000', '127.0.0.1:3000', /http:\/\/192\.168\.0\.\d{1,3}(:\d+)?/, 'file://'
+    origins 'localhost:3000',
+            '127.0.0.1:3000',
+            /http:\/\/192\.168\.0\.\d{1,3}(:\d+)?/,
+            'file://',
+            /http:\/\/(.*?)\.example\.com/
     resource '/get-only', :methods => :get
     resource '/', :headers => :any, :methods => :any

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-cors
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.4.1
 platform: ruby
 authors:
 - Calvin Yu
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-04-15 00:00:00.000000000 Z
+date: 2017-02-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -89,6 +89,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".travis.yml"
 - CHANGELOG
 - Gemfile
 - LICENSE.txt
@@ -127,7 +128,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.4.5
+rubygems_version: 2.5.2
 signing_key:
 specification_version: 4
 summary: Middleware for enabling Cross-Origin Resource Sharing in Rack apps