Skip to content

unbounce/encors

Repository files navigation

 _____ _      ____ ____  ____  ____
/  __// \  /|/   _Y  _ \/  __\/ ___\
|  \  | |\ |||  / | / \||  \/||    \
|  /_ | | \|||  \_| \_/||    /\___ |
\____\\_/  \|\____|____/\_/\_\\____/

Yet again another CORS library for ring.

Build Status
Clojars Project

Usage

Add CORS support to ring apps, supporting both synchronous and asynchronous (aleph) handlers.

wrap-cors

Receives 2 arguments:

  1. The ring app being wrapped.

  2. A map that must have the following keys:

  • :allowed-origins

    A set that specifies which origins are allowed by the middleware. A value of :star-origin indicates unrestricted cross-origin sharing and results in * as value for the Access-Control-Allow-Origin HTTP response header. A value of :match-origin will always return the incoming origin header.

  • :allowed-methods

    A set that specifies the HTTP methods allowed in CORS requests. (valid values are here)

  • :request-headers

    A set of field names of HTTP request headers that are allowed in CORS requests. Some headers found on a simple CORS implementation are included implicitly (except Content-Type)

  • :exposed-headers

    A set of HTTP header field names that will be exposed on the client (can be nil).

  • :max-age

    Number of seconds that the response may be cached by the client (can be nil).

  • :allow-credentials?

    A boolean that if true, adds the Access-Control-Allow-Credentials header on preflight requests.

  • :origin-varies?

    If the resource is shared by multiple origins but Access-Control-Allow-Origin is not set to * this may be set to true.

  • :require-origin?

    If this is true and the request does not include an Origin header the response will have HTTP status 400 (bad request) and the body will contain a short error message.

  • :ignore-failures?

    In case that:

    • the request contains an Origin header and

    • the client does not conform with the CORS protocol (request is out of scope)

    then

    • the request is passed on unchanged to the application if this field is true or

    • a response with HTTP status 400 (bad request) and short error message will be returned if this field is false

Example:

(ns my.ring-app
  (:require
    [com.unbounce.encors :refer [wrap-cors]]
    ;; ... other misc ring imports
    )

(defn raw-app [req]
  ;; return response here
  )

(def cors-policy
     { :allowed-origins #{"example.com"}
       :allowed-methods #{:get}
       :request-headers #{"X-Example-Header"}
       :exposed-headers nil
       :allow-credentials? true
       :origin-varies? false
       :max-age nil
       :require-origin? true
       :ignore-failures? false
     })

(def app (wrap-cors raw-app cors-policy))

com.unbounce.encors.aleph/wrap-cors

Same as wrap-cors, but supports aleph's deferred responses.

NOTE: This is only avaiable if you have ztellman/aleph on the classpath.

License

Copyright © 2014-2020 Unbounce Marketing Solutions Inc.

Distributed under the MIT License (MIT).