rack-cors 0.4.1 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: aaa518c3408420a39bd3c41bd822cdda6309beb2
-  data.tar.gz: 8fa4c9d5141e4d6c4df8600175f44ba6803ebe9f
+  metadata.gz: 4d3e08e4dddeda03c7f6ae34307de611a84d848c
+  data.tar.gz: a6353f11742d77141c3e0e62d2a48e7367275391
 SHA512:
-  metadata.gz: 633c772b16e08fad8fb93a7d1bf5d62a398abb534a27ce0d44df843242c5e1077112e98b1eb7e2d3849da952fec1754cd2e8451195c1a2c86ac567d69652b859
-  data.tar.gz: 8e0265d2d82db72ac68871dcf0eaf974809638d5a52514f99392b731fe09050ab07968c5e538a35d7bba2b7892cc62b3d6b7b401fe8a05c4648f5ad57a092abf
+  metadata.gz: c613462413784ba147dc5efd45b355ae26c5c133637d428ddfe1aabd739c8c5d43a4b85827c7984448daf8baccf3ff1325a83cbb59a95145f0c5e25009fd700d
+  data.tar.gz: 9d0887852ae6b1144cf15f34b630ed22ab5f05099b00fdad950c7df0f989424f343ecb471bf538f2f244eb037e7e1d1159565c8e770bd37bf983b6e770c14a0d

data/CHANGELOG

@@ -1,18 +1,37 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## 1.0.0 - 2017-07-15
+### Security
+- Don't implicitly accept 'null' origins when 'file://' is specified
+(https://github.com/cyu/rack-cors/pull/134)
+- Ignore '' origins (https://github.com/cyu/rack-cors/issues/139)
+- Default credentials option on resources to false
+(https://github.com/cyu/rack-cors/issues/95)
+- Don't allow credentials option to be true if '*' is specified is origin
+(https://github.com/cyu/rack-cors/pull/142)
+- Don't reflect Origin header when '*' is specified as origin
+(https://github.com/cyu/rack-cors/pull/142)
+
+### Fixed
+- Don't respond immediately on non-matching preflight requests instead of
+sending them through the app (https://github.com/cyu/rack-cors/pull/106)
+
 ## 0.4.1 - 2017-02-01
 ### Fixed
-- Return miss result in X-Rack-CORS instead of incorrectly returning preflight-hit
+- Return miss result in X-Rack-CORS instead of incorrectly returning
+preflight-hit
 
 ## 0.4.0 - 2015-04-15
 ### Changed
 - Don't set HTTP_ORIGIN with HTTP_X_ORIGIN if nil
+
 ### Added
 - Calculate vary headers for non-CORS resources
 - Support custom vary headers for resource
 - Support :if option for resource
 - Support :any as a possible value for :methods option
+
 ### Fixed
 - Don't symbolize incoming HTTP request methods
 
@@ -23,10 +42,9 @@ All notable changes to this project will be documented in this file.
 ## 0.3.0 - 2014-10-19
 ### Added
 - Added support for defining a logger with a Proc
-- Return a X-Rack-CORS header when in debug mode detailing how
-Rack::Cors processed a request
-- Added support for non HTTP/HTTPS origins when just a domain is
-is specified
+- Return a X-Rack-CORS header when in debug mode detailing how Rack::Cors
+processed a request
+- Added support for non HTTP/HTTPS origins when just a domain is specified
 
 ### Changed
 - Changed the log level of the fallback logger to DEBUG

data/README.md

@@ -28,28 +28,29 @@ module YourApp
 
     # ...
     
-    # Rails 3/4
+    # Rails 5
 
-    config.middleware.insert_before 0, "Rack::Cors" do
+    config.middleware.insert_before 0, Rack::Cors do
       allow do
         origins '*'
         resource '*', :headers => :any, :methods => [:get, :post, :options]
       end
     end
-    
-    # Rails 5
 
-    config.middleware.insert_before 0, Rack::Cors do
+    # Rails 3/4
+
+    config.middleware.insert_before 0, "Rack::Cors" do
       allow do
         origins '*'
         resource '*', :headers => :any, :methods => [:get, :post, :options]
       end
     end
-
+    
   end
 end
 ```
-Refer to [rails 3 example](https://github.com/cyu/rack-cors/tree/master/examples/rails3) and [rails 4 example](https://github.com/cyu/rack-cors/tree/master/examples/rails4) for more details.
+
+We use `insert_before` to make sure `Rack::Cors` runs at the beginning of the stack to make sure it isn't interfered with with other middleware (see `Rack::Cache` note in **Common Gotchas** section). Check out the [rails 4 example](https://github.com/cyu/rack-cors/tree/master/examples/rails4) and [rails 3 example](https://github.com/cyu/rack-cors/tree/master/examples/rails3).
 
 See The [Rails Guide to Rack](http://guides.rubyonrails.org/rails_on_rack.html) for more details on rack middlewares or watch the [railscast](http://railscasts.com/episodes/151-rack-middleware).
 
@@ -98,13 +99,12 @@ Additionally, origins can be specified dynamically via a block of the following
   origins { |source, env| true || false }
 ```
 
-#### Resource
-A Resource path can be specified as exact string match (`/path/to/file.txt`) or with a '\*' wildcard (`/all/files/in/*`).  A resource can take the following options:
+A Resource path can be specified as exact string match (`/path/to/file.txt`) or with a '\*' wildcard (`/all/files/in/*`).  To include all of a directory's files and the files in its subdirectories, use this form: `/assets/**/*`.  A resource can take the following options:
 
 * **methods** (string or array or `:any`): The HTTP methods allowed for the resource.
 * **headers** (string or array or `:any`): The HTTP headers that will be allowed in the CORS resource request.  Use `:any` to allow for any headers in the actual request.
 * **expose** (string or array): The HTTP headers in the resource response can be exposed to the client.
-* **credentials** (boolean): Sets the `Access-Control-Allow-Credentials` response header.
+* **credentials** (boolean, default: `false`): Sets the `Access-Control-Allow-Credentials` response header. **Note:** If a wildcard (`*`) origin is specified, this option cannot be set to `true`.  Read this [security article](http://web-in-security.blogspot.de/2017/07/cors-misconfigurations-on-large-scale.html) for more information.
 * **max_age** (number): Sets the `Access-Control-Max-Age` response header.
 * **if** (Proc): If the result of the proc is true, will process the request as a valid CORS request.
 * **vary** (string or array): A list of HTTP headers to add to the 'Vary' header.

data/lib/rack/cors.rb

@@ -2,13 +2,26 @@ require 'logger'
 
 module Rack
   class Cors
-    ENV_KEY = 'rack.cors'.freeze
+    HTTP_ORIGIN   = 'HTTP_ORIGIN'.freeze
+    HTTP_X_ORIGIN = 'HTTP_X_ORIGIN'.freeze
 
-    ORIGIN_HEADER_KEY     = 'HTTP_ORIGIN'.freeze
-    ORIGIN_X_HEADER_KEY   = 'HTTP_X_ORIGIN'.freeze
-    PATH_INFO_HEADER_KEY  = 'PATH_INFO'.freeze
-    VARY_HEADER_KEY       = 'Vary'.freeze
-    DEFAULT_VARY_HEADERS  = ['Origin'].freeze
+    HTTP_ACCESS_CONTROL_REQUEST_METHOD  = 'HTTP_ACCESS_CONTROL_REQUEST_METHOD'.freeze
+    HTTP_ACCESS_CONTROL_REQUEST_HEADERS = 'HTTP_ACCESS_CONTROL_REQUEST_HEADERS'.freeze
+
+    PATH_INFO      = 'PATH_INFO'.freeze
+    REQUEST_METHOD = 'REQUEST_METHOD'.freeze
+
+    RACK_LOGGER = 'rack.logger'.freeze
+    RACK_CORS   =
+    # retaining the old key for backwards compatibility
+    ENV_KEY     = 'rack.cors'.freeze
+
+    OPTIONS      = 'OPTIONS'.freeze
+    VARY         = 'Vary'.freeze
+    CONTENT_TYPE = 'Content-Type'.freeze
+    TEXT_PLAIN   = 'text/plain'.freeze
+
+    DEFAULT_VARY_HEADERS = ['Origin'].freeze
 
     def initialize(app, opts={}, &block)
       @app = app
@@ -47,25 +60,24 @@ module Rack
     end
 
     def call(env)
-      env[ORIGIN_HEADER_KEY] ||= env[ORIGIN_X_HEADER_KEY] if env[ORIGIN_X_HEADER_KEY]
+      env[HTTP_ORIGIN] ||= env[HTTP_X_ORIGIN] if env[HTTP_X_ORIGIN]
 
       add_headers = nil
-      if env[ORIGIN_HEADER_KEY]
+      if env[HTTP_ORIGIN]
         debug(env) do
           [ 'Incoming Headers:',
-            "  Origin: #{env[ORIGIN_HEADER_KEY]}",
-            "  Access-Control-Request-Method: #{env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']}",
-            "  Access-Control-Request-Headers: #{env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}"
+            "  Origin: #{env[HTTP_ORIGIN]}",
+            "  Access-Control-Request-Method: #{env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]}",
+            "  Access-Control-Request-Headers: #{env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]}"
             ].join("\n")
         end
-        if env['REQUEST_METHOD'] == 'OPTIONS' and env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']
-          if headers = process_preflight(env)
-            debug(env) do
-              "Preflight Headers:\n" +
-                  headers.collect{|kv| "  #{kv.join(': ')}"}.join("\n")
-            end
-            return [200, headers, []]
+        if env[REQUEST_METHOD] == OPTIONS and env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
+          headers = process_preflight(env)
+          debug(env) do
+            "Preflight Headers:\n" +
+                headers.collect{|kv| "  #{kv.join(': ')}"}.join("\n")
           end
+          return [200, headers, []]
         else
           add_headers = process_cors(env)
         end
@@ -74,9 +86,9 @@ module Rack
       end
 
       # This call must be done BEFORE calling the app because for some reason
-      # env[PATH_INFO_HEADER_KEY] gets changed after that and it won't match.
-      # (At least in rails 4.1.6)
-      vary_resource = resource_for_path(env[PATH_INFO_HEADER_KEY])
+      # env[PATH_INFO] gets changed after that and it won't match. (At least
+      # in rails 4.1.6)
+      vary_resource = resource_for_path(env[PATH_INFO])
 
       status, headers, body = @app.call env
 
@@ -95,16 +107,16 @@ module Rack
       # response to be different depending on the Origin header value.
       # Better explained here: http://www.fastly.com/blog/best-practices-for-using-the-vary-header/
       if vary_resource
-        vary = headers[VARY_HEADER_KEY]
+        vary = headers[VARY]
         cors_vary_headers = if vary_resource.vary_headers && vary_resource.vary_headers.any?
           vary_resource.vary_headers
         else
           DEFAULT_VARY_HEADERS
         end
-        headers[VARY_HEADER_KEY] = ((vary ? vary.split(/,\s*/) : []) + cors_vary_headers).uniq.join(', ')
+        headers[VARY] = ((vary ? vary.split(/,\s*/) : []) + cors_vary_headers).uniq.join(', ')
       end
 
-      if debug? && result = env[ENV_KEY]
+      if debug? && result = env[RACK_CORS]
         result.append_header(headers)
       end
 
@@ -125,8 +137,8 @@ module Rack
         elsif defined?(Rails) && Rails.logger
           Rails.logger
 
-        elsif env['rack.logger']
-          env['rack.logger']
+        elsif env[RACK_LOGGER]
+          env[RACK_LOGGER]
 
         else
           ::Logger.new(STDOUT).tap { |logger| logger.level = ::Logger::Severity::DEBUG }
@@ -138,16 +150,15 @@ module Rack
       end
 
       def process_preflight(env)
-        resource, error = match_resource(env)
-        if resource
-          Result.preflight_hit(env)
-          preflight = resource.process_preflight(env)
-          preflight
+        result = Result.preflight(env)
 
-        else
-          Result.preflight_miss(env, error)
-          nil
+        resource, error = match_resource(env)
+        unless resource
+          result.miss(error)
+          return {} 
         end
+
+        return resource.process_preflight(env, result)
       end
 
       def process_cors(env)
@@ -173,8 +184,8 @@ module Rack
       end
 
       def match_resource(env)
-        path   = env[PATH_INFO_HEADER_KEY]
-        origin = env[ORIGIN_HEADER_KEY]
+        path   = env[PATH_INFO]
+        origin = env[HTTP_ORIGIN]
 
         origin_matched = false
         all_resources.each do |r|
@@ -195,6 +206,10 @@ module Rack
         MISS_NO_ORIGIN = 'no-origin'.freeze
         MISS_NO_PATH   = 'no-path'.freeze
 
+        MISS_NO_METHOD   = 'no-method'.freeze
+        MISS_DENY_METHOD = 'deny-method'.freeze
+        MISS_DENY_HEADER = 'deny-header'.freeze
+
         attr_accessor :preflight, :hit, :miss_reason
 
         def hit?
@@ -205,11 +220,16 @@ module Rack
           !!preflight
         end
 
+        def miss(reason)
+          self.hit = false
+          self.miss_reason = reason
+        end
+
         def self.hit(env)
           r = Result.new
           r.preflight = false
           r.hit = true
-          env[ENV_KEY] = r
+          env[RACK_CORS] = r
         end
 
         def self.miss(env, reason)
@@ -217,23 +237,15 @@ module Rack
           r.preflight = false
           r.hit = false
           r.miss_reason = reason
-          env[ENV_KEY] = r
+          env[RACK_CORS] = r
         end
 
-        def self.preflight_hit(env)
+        def self.preflight(env)
           r = Result.new
           r.preflight = true
-          r.hit = true
-          env[ENV_KEY] = r
+          env[RACK_CORS] = r
         end
 
-        def self.preflight_miss(env, reason)
-          r = Result.new
-          r.preflight = true
-          r.hit = false
-          r.miss_reason = reason
-          env[ENV_KEY] = r
-        end
 
         def append_header(headers)
           headers[HEADER_KEY] = if hit?
@@ -248,6 +260,9 @@ module Rack
       end
 
       class Resources
+
+        attr_reader :resources
+
         def initialize
           @origins = []
           @resources = []
@@ -255,7 +270,7 @@ module Rack
         end
 
         def origins(*args, &blk)
-          @origins = args.flatten.collect do |n|
+          @origins = args.flatten.reject{ |s| s == '' }.map do |n|
             case n
             when Regexp,
                  /^https?:\/\//,
@@ -278,13 +293,11 @@ module Rack
         def allow_origin?(source,env = {})
           return true if public_resources?
 
-          effective_source = (source == 'null' ? 'file://' : source)
-
           return !! @origins.detect do |origin|
             if origin.is_a?(Proc)
               origin.call(source,env)
             else
-              origin === effective_source
+              origin === source
             end
           end
         end
@@ -300,11 +313,20 @@ module Rack
       end
 
       class Resource
+        class CorsMisconfigurationError < StandardError
+          def message
+            "Allowing credentials for wildcard origins is insecure."\
+            " Please specify more restrictive origins or set 'credentials' to false in your CORS configuration."
+          end
+        end
+
         attr_accessor :path, :methods, :headers, :expose, :max_age, :credentials, :pattern, :if_proc, :vary_headers
 
         def initialize(public_resource, path, opts={})
+          raise CorsMisconfigurationError if public_resource && opts[:credentials] == true
+
           self.path         = path
-          self.credentials  = opts[:credentials].nil? ? true : opts[:credentials]
+          self.credentials  = public_resource ? false : (opts[:credentials] == true)
           self.max_age      = opts[:max_age] || 1728000
           self.pattern      = compile(path)
           self.if_proc      = opts[:if]
@@ -323,7 +345,7 @@ module Rack
           else
             ensure_enum(opts[:methods]) || [:get]
           end.map{|e| e.to_s }
-          
+
           self.expose = opts[:expose] ? [opts[:expose]].flatten : nil
         end
 
@@ -335,14 +357,29 @@ module Rack
           matches_path?(path) && (if_proc.nil? || if_proc.call(env))
         end
 
-        def process_preflight(env)
-          return nil if invalid_method_request?(env) || invalid_headers_request?(env)
-          {'Content-Type' => 'text/plain'}.merge(to_preflight_headers(env))
+        def process_preflight(env, result)
+          headers = {CONTENT_TYPE => TEXT_PLAIN}
+
+          request_method = env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
+          if request_method.nil?
+            result.miss(Result::MISS_NO_METHOD) and return headers
+          end
+          if !methods.include?(request_method.downcase)
+            result.miss(Result::MISS_DENY_METHOD) and return headers
+          end
+
+          request_headers = env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]
+          if request_headers && !allow_headers?(request_headers)
+            result.miss(Result::MISS_DENY_HEADER) and return headers
+          end
+
+          result.hit = true
+          headers.merge(to_preflight_headers(env))
         end
 
         def to_headers(env)
           h = {
-            'Access-Control-Allow-Origin'     => origin_for_response_header(env[ORIGIN_HEADER_KEY]),
+            'Access-Control-Allow-Origin'     => origin_for_response_header(env[HTTP_ORIGIN]),
             'Access-Control-Allow-Methods'    => methods.collect{|m| m.to_s.upcase}.join(', '),
             'Access-Control-Expose-Headers'   => expose.nil? ? '' : expose.join(', '),
             'Access-Control-Max-Age'          => max_age.to_s }
@@ -356,28 +393,18 @@ module Rack
           end
 
           def origin_for_response_header(origin)
-            return '*' if public_resource? && !credentials
+            return '*' if public_resource?
             origin
           end
 
           def to_preflight_headers(env)
             h = to_headers(env)
-            if env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']
-              h.merge!('Access-Control-Allow-Headers' => env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])
+            if env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]
+              h.merge!('Access-Control-Allow-Headers' => env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS])
             end
             h
           end
 
-          def invalid_method_request?(env)
-            request_method = env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']
-            request_method.nil? || !methods.include?(request_method.downcase)
-          end
-
-          def invalid_headers_request?(env)
-            request_headers = env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']
-            request_headers && !allow_headers?(request_headers)
-          end
-
           def allow_headers?(request_headers)
             return false if headers.nil?
             headers == :any || begin

data/lib/rack/cors/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class Cors
-    VERSION = "0.4.1"
+    VERSION = "1.0.0"
   end
 end

data/test/cors/test.cors.coffee

@@ -1,4 +1,4 @@
-CORS_SERVER = 'cors-server:3000'
+CORS_SERVER = '127.0.0.1.xip.io:9292'
 
 describe 'CORS', ->
 

data/test/cors/test.cors.js

@@ -1,8 +1,8 @@
-// Generated by CoffeeScript 1.7.1
+// Generated by CoffeeScript 1.12.6
 (function() {
   var CORS_SERVER;
 
-  CORS_SERVER = 'cors-server:3000';
+  CORS_SERVER = '127.0.0.1.xip.io:9292';
 
   describe('CORS', function() {
     it('should allow access to dynamic resource', function(done) {

data/test/unit/cors_test.rb

@@ -16,6 +16,32 @@ end
 Rack::Test::Methods.class_eval do
   def_delegator :current_session, :options
 end
+  
+module MiniTest::Assertions
+  def assert_cors_success(response)
+  	assert !response.headers['Access-Control-Allow-Origin'].nil?, "Expected a successful CORS response"
+  end
+
+  def assert_not_cors_success(response)
+  	assert response.headers['Access-Control-Allow-Origin'].nil?, "Expected a failed CORS response"
+  end
+end
+
+class CaptureResult
+  def initialize(app, options =  {})
+    @app = app
+    @result_holder = options[:holder]
+  end
+
+  def call(env)
+    response = @app.call(env)
+    @result_holder.cors_result = env[Rack::Cors::RACK_CORS]
+    return response
+  end
+end
+
+Rack::MockResponse.infect_an_assertion :assert_cors_success, :must_render_cors_success, :only_one_argument
+Rack::MockResponse.infect_an_assertion :assert_not_cors_success, :wont_render_cors_success, :only_one_argument
 
 describe Rack::Cors do
   include Rack::Test::Methods
@@ -25,10 +51,10 @@ describe Rack::Cors do
   def load_app(name)
     test = self
     Rack::Builder.new do
+      use CaptureResult, :holder => test
       eval File.read(File.dirname(__FILE__) + "/#{name}.ru")
       map('/') do
         run proc { |env|
-          test.cors_result = env[Rack::Cors::ENV_KEY]
           [200, {'Content-Type' => 'text/html'}, ['success']]
         }
       end
@@ -38,84 +64,84 @@ describe Rack::Cors do
   let(:app) { load_app('test') }
 
   it 'should support simple CORS request' do
-    cors_request
+    successful_cors_request
     cors_result.must_be :hit
   end
 
   it "should not return CORS headers if Origin header isn't present" do
     get '/'
-    should_render_cors_failure
+    last_response.wont_render_cors_success
     cors_result.wont_be :hit
   end
 
   it 'should support OPTIONS CORS request' do
-    cors_request '/options', :method => :options
+    successful_cors_request '/options', :method => :options
   end
 
   it 'should support regex origins configuration' do
-    cors_request :origin => 'http://192.168.0.1:1234'
+    successful_cors_request :origin => 'http://192.168.0.1:1234'
   end
 
   it 'should support subdomain example' do
-    cors_request :origin => 'http://subdomain.example.com'
+    successful_cors_request :origin => 'http://subdomain.example.com'
   end
 
   it 'should support proc origins configuration' do
-    cors_request '/proc-origin', :origin => 'http://10.10.10.10:3000'
+    successful_cors_request '/proc-origin', :origin => 'http://10.10.10.10:3000'
   end
 
   it 'should not mix up path rules across origins' do
     header 'Origin', 'http://10.10.10.10:3000'
     get '/' # / is configured in a separate rule block
-    should_render_cors_failure
+    last_response.wont_render_cors_success
   end
 
   it 'should support alternative X-Origin header' do
     header 'X-Origin', 'http://localhost:3000'
     get '/'
-    should_render_cors_success
+    last_response.must_render_cors_success
   end
 
   it 'should support expose header configuration' do
-    cors_request '/expose_single_header'
+    successful_cors_request '/expose_single_header'
     last_response.headers['Access-Control-Expose-Headers'].must_equal 'expose-test'
   end
 
   it 'should support expose multiple header configuration' do
-    cors_request '/expose_multiple_headers'
+    successful_cors_request '/expose_multiple_headers'
     last_response.headers['Access-Control-Expose-Headers'].must_equal 'expose-test-1, expose-test-2'
   end
 
   # Explanation: http://www.fastly.com/blog/best-practices-for-using-the-vary-header/
   it "should add Vary header if resource matches even if Origin header isn't present" do
     get '/'
-    should_render_cors_failure
+    last_response.wont_render_cors_success
     last_response.headers['Vary'].must_equal 'Origin'
   end
 
   it "should add Vary header based on :vary option" do
-    cors_request '/vary_test'
+    successful_cors_request '/vary_test'
     last_response.headers['Vary'].must_equal 'Origin, Host'
   end
 
   it 'should add Vary header if Access-Control-Allow-Origin header was added and if it is specific' do
-    cors_request '/', :origin => "http://192.168.0.3:8080"
+    successful_cors_request '/', :origin => "http://192.168.0.3:8080"
     last_response.headers['Access-Control-Allow-Origin'].must_equal 'http://192.168.0.3:8080'
     last_response.headers['Vary'].wont_be_nil
   end
 
   it 'should add Vary header even if Access-Control-Allow-Origin header was added and it is generic (*)' do
-    cors_request '/public_without_credentials', :origin => "http://192.168.1.3:8080"
+    successful_cors_request '/public_without_credentials', :origin => "http://192.168.1.3:8080"
     last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
     last_response.headers['Vary'].must_equal 'Origin'
   end
 
   it 'should support multi allow configurations for the same resource' do
-    cors_request '/multi-allow-config', :origin => "http://mucho-grande.com"
+    successful_cors_request '/multi-allow-config', :origin => "http://mucho-grande.com"
     last_response.headers['Access-Control-Allow-Origin'].must_equal 'http://mucho-grande.com'
     last_response.headers['Vary'].must_equal 'Origin'
 
-    cors_request '/multi-allow-config', :origin => "http://192.168.1.3:8080"
+    successful_cors_request '/multi-allow-config', :origin => "http://192.168.1.3:8080"
     last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
     last_response.headers['Vary'].must_equal 'Origin'
   end
@@ -128,15 +154,25 @@ describe Rack::Cors do
   it "should not apply CORS headers if it does not match conditional on resource" do
     header 'Origin', 'http://192.168.0.1:1234'
     get '/conditional'
-    should_render_cors_failure
+    last_response.wont_render_cors_success
   end
 
   it "should apply CORS headers if it does match conditional on resource" do
     header 'X-OK', '1'
-    cors_request '/conditional', :origin => 'http://192.168.0.1:1234'
+    successful_cors_request '/conditional', :origin => 'http://192.168.0.1:1234'
   end
 
- describe 'logging' do
+  it "should not allow everything if Origin is configured as blank string" do
+    cors_request '/blank-origin', origin: "http://example.net"
+    last_response.wont_render_cors_success
+  end
+
+  it "should not allow credentials for public resources" do
+    successful_cors_request '/public'
+    last_response.headers['Access-Control-Allow-Credentials'].must_be_nil
+  end
+
+  describe 'logging' do
     it 'should not log debug messages if debug option is false' do
       app = mock
       app.stubs(:call).returns(200, {}, [''])
@@ -204,82 +240,118 @@ describe Rack::Cors do
   describe 'preflight requests' do
     it 'should fail if origin is invalid' do
       preflight_request('http://allyourdataarebelongtous.com', '/')
-      should_render_cors_failure
+      last_response.wont_render_cors_success
       cors_result.wont_be :hit
       cors_result.must_be :preflight
     end
 
     it 'should fail if Access-Control-Request-Method is not allowed' do
       preflight_request('http://localhost:3000', '/get-only', :method => :post)
-      should_render_cors_failure
+      last_response.wont_render_cors_success
+      cors_result.miss_reason.must_equal Rack::Cors::Result::MISS_DENY_METHOD
+      cors_result.wont_be :hit
+      cors_result.must_be :preflight
     end
 
     it 'should fail if header is not allowed' do
       preflight_request('http://localhost:3000', '/single_header', :headers => 'Fooey')
-      should_render_cors_failure
+      last_response.wont_render_cors_success
+      cors_result.miss_reason.must_equal Rack::Cors::Result::MISS_DENY_HEADER
+      cors_result.wont_be :hit
+      cors_result.must_be :preflight
     end
 
     it 'should allow any header if headers = :any' do
       preflight_request('http://localhost:3000', '/', :headers => 'Fooey')
-      should_render_cors_success
+      last_response.must_render_cors_success
     end
 
     it 'should allow any method if methods = :any' do
       preflight_request('http://localhost:3000', '/', :methods => :any)
-      should_render_cors_success
+      last_response.must_render_cors_success
     end
 
     it 'should allow header case insensitive match' do
       preflight_request('http://localhost:3000', '/single_header', :headers => 'X-Domain-Token')
-      should_render_cors_success
+      last_response.must_render_cors_success
     end
 
     it 'should allow multiple headers match' do
       # Webkit style
       preflight_request('http://localhost:3000', '/two_headers', :headers => 'X-Requested-With, X-Domain-Token')
-      should_render_cors_success
+      last_response.must_render_cors_success
 
       # Gecko style
       preflight_request('http://localhost:3000', '/two_headers', :headers => 'x-requested-with,x-domain-token')
-      should_render_cors_success
+      last_response.must_render_cors_success
     end
 
     it 'should * origin should allow any origin' do
       preflight_request('http://locohost:3000', '/public')
-      should_render_cors_success
-      last_response.headers['Access-Control-Allow-Origin'].must_equal 'http://locohost:3000'
+      last_response.must_render_cors_success
+      last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
     end
 
     it 'should * origin should allow any origin, and set * if no credentials required' do
       preflight_request('http://locohost:3000', '/public_without_credentials')
-      should_render_cors_success
+      last_response.must_render_cors_success
       last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
     end
 
-    it 'should "null" origin, allowed as "file://", returned as "null" in header' do
-      preflight_request('null', '/')
-      should_render_cors_success
-      last_response.headers['Access-Control-Allow-Origin'].must_equal 'null'
-    end
-
     it 'should return "file://" as header with "file://" as origin' do
       preflight_request('file://', '/')
-      should_render_cors_success
+      last_response.must_render_cors_success
       last_response.headers['Access-Control-Allow-Origin'].must_equal 'file://'
     end
 
     it 'should return a Content-Type' do
       preflight_request('http://localhost:3000', '/')
-      should_render_cors_success
+      last_response.must_render_cors_success
       last_response.headers['Content-Type'].wont_be_nil
     end
+
+    describe '' do
+
+      let(:app) do
+        test = self
+        Rack::Builder.new do
+          use CaptureResult, holder: test
+          use Rack::Cors, debug: true, logger: Logger.new(StringIO.new) do
+            allow do
+              origins '*'
+              resource '/', :methods => :post
+            end
+          end
+          map('/') do
+            run ->(env) { [500, {'Content-Type' => 'text/plain'}, ['FAIL!']] }
+          end
+        end
+      end
+
+      it "should not send failed preflight requests thru the app" do
+        preflight_request('http://localhost', '/', :method => :unsupported)
+        last_response.wont_render_cors_success
+        last_response.status.must_equal 200
+        cors_result.must_be :preflight
+        cors_result.wont_be :hit
+        cors_result.miss_reason.must_equal Rack::Cors::Result::MISS_DENY_METHOD
+      end
+    end
+  end
+
+  describe "with insecure configuration" do
+    let(:app) { load_app('insecure') }
+
+    it "should raise an error" do
+      proc { cors_request '/public' }.must_raise Rack::Cors::Resource::CorsMisconfigurationError
+    end
   end
 
   describe "with non HTTP config" do
     let(:app) { load_app("non_http") }
 
     it 'should support non http/https origins' do
-      cors_request '/public', origin: 'content://com.company.app'
+      successful_cors_request '/public', origin: 'content://com.company.app'
     end
   end
 
@@ -314,13 +386,13 @@ describe Rack::Cors do
     end
 
     it "should return app header" do
-      cors_request origin: "http://example.net"
+      successful_cors_request origin: "http://example.net"
       last_response.headers['Access-Control-Allow-Origin'].must_equal "http://foo.net"
     end
 
     it "should return original headers if in debug" do
-      cors_request origin: "http://example.net"
-      last_response.headers['X-Rack-CORS-Original-Access-Control-Allow-Origin'].must_equal "http://example.net"
+      successful_cors_request origin: "http://example.net"
+      last_response.headers['X-Rack-CORS-Original-Access-Control-Allow-Origin'].must_equal "*"
     end
   end
 
@@ -333,7 +405,11 @@ describe Rack::Cors do
 
       header 'Origin', opts[:origin]
       current_session.__send__ opts[:method], path, {}, test: self
-      should_render_cors_success
+    end
+
+    def successful_cors_request(*args)
+      cors_request(*args)
+      last_response.must_render_cors_success
     end
 
     def preflight_request(origin, path, opts = {})
@@ -346,12 +422,4 @@ describe Rack::Cors do
       end
       options path
     end
-
-    def should_render_cors_success
-      last_response.headers['Access-Control-Allow-Origin'].wont_be_nil
-    end
-
-    def should_render_cors_failure
-      last_response.headers['Access-Control-Allow-Origin'].must_be_nil
-    end
 end

data/test/unit/dsl_test.rb

@@ -55,4 +55,15 @@ describe Rack::Cors, 'DSL' do
 
     resources.first.allow_origin?('file://').must_equal true
   end
+
+  it 'should default credentials option to false' do
+    cors = Rack::Cors.new(Proc.new {}) do
+      allow do
+        origins 'example.net'
+        resource '/', :headers => :any
+      end
+    end
+    resources = cors.send :all_resources
+    resources.first.resources.first.credentials.must_equal false
+  end
 end

data/test/unit/insecure.ru

@@ -0,0 +1,8 @@
+require 'rack/cors'
+
+use Rack::Cors do
+  allow do
+    origins '*'
+    resource '/public', credentials: true
+  end
+end

data/test/unit/test.ru

@@ -47,4 +47,9 @@ use Rack::Cors do
     origins '*'
     resource '/multi-allow-config', :max_age => 300, :credentials => false
   end
+
+  allow do
+    origins ''
+    resource '/blank-origin'
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-cors
 version: !ruby/object:Gem::Version
-  version: 0.4.1
+  version: 1.0.0
 platform: ruby
 authors:
 - Calvin Yu
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-02-01 00:00:00.000000000 Z
+date: 2017-07-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -106,6 +106,7 @@ files:
 - test/cors/test.cors.js
 - test/unit/cors_test.rb
 - test/unit/dsl_test.rb
+- test/unit/insecure.ru
 - test/unit/non_http.ru
 - test/unit/test.ru
 homepage: https://github.com/cyu/rack-cors
@@ -141,5 +142,6 @@ test_files:
 - test/cors/test.cors.js
 - test/unit/cors_test.rb
 - test/unit/dsl_test.rb
+- test/unit/insecure.ru
 - test/unit/non_http.ru
 - test/unit/test.ru