Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

access-control-allow-origin does not show in response headers #1

Open
alolis opened this issue May 29, 2013 · 4 comments
Open

access-control-allow-origin does not show in response headers #1

alolis opened this issue May 29, 2013 · 4 comments

Comments

@alolis
Copy link

alolis commented May 29, 2013

Hello,

I am using compojure and I wanted to allow origin from anywhere for the development process of my app so i added ring-cors like the example shows but if i look at the response headers on my chrome developer tools, i do not see the header set.

Does this middleware still works or is it abandoned?

Thanks for your time
@alolis alolis closed this as completed May 29, 2013
@alolis alolis reopened this May 29, 2013
@alolis
Copy link
Author

alolis commented May 29, 2013

I checked the code and there is no "origin" inside the headers which is used to get the origin here:
https://github.com/r0man/ring-cors/blob/master/src/ring/middleware/cors.clj#L7

This is what i see inside the headers of a test request:

{"accept" "/", "accept-encoding" "gzip,deflate,sdch", "accept-language" "en-US,en;q=0.8,el;q=0.6", >"connection" "keep-alive", "cookie" "PHPSESSID=aj198ujlvi9ag1ntrvj5m8e160; rock_format=json", "host" >"localhost:3000", "user-agent" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) >Chrome/27.0.1453.93 Safari/537.36"}

Also, it would be nice if allow-request? supported the use of wildcard (*).

@bripkens
Copy link

The problem is that CORS headers are only added when the request is allowed. They should probably be present for every request.

For development purposes and requests that do not require credentials the following CORS middleware is sufficient.

(defn wrap-cors
  "Allow requests from all origins"
  [handler]
  (fn [request]
    (let [response (handler request)]
      (update-in response
                 [:headers "Access-Control-Allow-Origin"]
                 (fn [_] "*")))))

@bhurlow
Copy link

bhurlow commented Sep 4, 2014

if you're trying to go "all-the-way" you can do something like this:

(def cors-headers 
  { "Access-Control-Allow-Origin" "*"
    "Access-Control-Allow-Headers" "Content-Type"
    "Access-Control-Allow-Methods" "GET,POST,OPTIONS" })

(defn all-cors
  "Allow requests from all origins"
  [handler]
  (fn [request]
    (let [response (handler request)]
      (update-in response [:headers]
        merge cors-headers ))))

note that you'll need some way of handling OPTIONS requests.

@leordev
Copy link

leordev commented Aug 14, 2016

@bhurlow awesome catch... merging yours with a pre-flight it's even better... https://gist.github.com/leordev/35bee2e7dfde38ced6b1f5236cc45c0d 😆

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alolis @bripkens @bhurlow @leordev