Safe Haskell | None |
---|---|
Language | Haskell2010 |
An implemenation of Cross-Origin resource sharing (CORS) for WAI that aims to be compliant with http://www.w3.org/TR/cors.
The function simpleCors
enables support of simple cross-origin requests.
The following is an example how to enable support for simple cross-origin requests for a scotty application.
{-# LANGUAGE UnicodeSyntax #-} {-# LANGUAGE OverloadedStrings #-} module Main ( main ) where import Network.Wai.Middleware.Cors import Web.Scotty main ∷ IO () main = scotty 8080 $ do middleware simpleCors matchAny "/" $ text "Success"
The result of following curl command will include the HTTP response header
Access-Control-Allow-Origin: *
.
curl -i http://127.0.0.1:8888 -H 'Origin: 127.0.0.1' -v
- type Origin = ByteString
- data CorsResourcePolicy = CorsResourcePolicy {
- corsOrigins :: !(Maybe ([Origin], Bool))
- corsMethods :: ![Method]
- corsRequestHeaders :: ![HeaderName]
- corsExposedHeaders :: !(Maybe [HeaderName])
- corsMaxAge :: !(Maybe Int)
- corsVaryOrigin :: !Bool
- corsRequireOrigin :: !Bool
- corsIgnoreFailures :: !Bool
- simpleCorsResourcePolicy :: CorsResourcePolicy
- cors :: (Request -> Maybe CorsResourcePolicy) -> Middleware
- simpleCors :: Middleware
- isSimple :: Method -> RequestHeaders -> Bool
- simpleResponseHeaders :: [HeaderName]
- simpleHeaders :: [HeaderName]
- simpleContentTypes :: [CI ByteString]
- simpleMethods :: [Method]
Documentation
type Origin = ByteString Source
Origins are expected to be formated as described in RFC 6454 (section
6.2). In particular the string *
is not a valid origin (but the string
null
is).
data CorsResourcePolicy Source
CorsResourcePolicy | |
|
simpleCorsResourcePolicy :: CorsResourcePolicy Source
A CorsResourcePolicy
that supports simple cross-origin requests as defined
in http://www.w3.org/TR/cors/.
- The HTTP header
Access-Control-Allow-Origin
is set to*
. - Request methods are constraint to simple methods (
GET
,HEAD
,POST
). - Request headers are constraint to simple request headers
(
Accept
,Accept-Language
,Content-Language
,Content-Type
). - If the request is a
POST
request the content type is constraint to simple content types (application/x-www-form-urlencoded
,multipart/form-data
,text/plain
), - Only simple response headers may be exposed on the client
(
Cache-Control
,Content-Language
,Content-Type
,Expires
,Last-Modified
,Pragma
) - The
Vary-Origin
header is left unchanged (possibly unset). - If the request doesn't include an
Origin
header the request is passed unchanged to the application. - If the request includes an
Origin
header but does not conform to the CORS protocol (request is out of scope) an response with HTTP status 400 (bad request) and a short error message is returned.
For simple cross-origin requests a preflight request is not required. However, if the client chooses to make a preflight request it is answered in accordance with the policy for simple cross-origin requests.
:: (Request -> Maybe CorsResourcePolicy) | A value of |
-> Middleware |
A Cross-Origin resource sharing (CORS) middleware.
The middleware is given a function that serves as a pattern to decide
whether a requested resource is available for CORS. If the match fails with
Nothing
the request is passed unmodified to the inner application.
The current version of this module does only aim at compliance with the CORS
protocol as specified in http://www.w3.org/TR/cors/. In accordance with
that standard the role of the server side is to support the client to
enforce CORS restrictions. This module does not implement any enforcement of
authorization policies that are possibly implied by the
CorsResourcePolicy
. It is up to the inner WAI application to enforce such
policy and make sure that it is in accordance with the configuration of the
cors
middleware.
Matches are done as follows: *
matches every origin. For all other cases a
match succeeds if and only if the ASCII serializations (as described in
RCF6454 section 6.2) are equal.
The OPTIONS method may return options for resources that are not actually
available. In particular for preflight requests the implementation returns
for the HTTP response headers Access-Control-Allow-Headers
and
Access-Control-Allow-Methods
all values specified in the
CorsResourcePolicy
together with the respective values for simple requests
(except content-type
). This does not imply that the application actually
supports the respective values are for the requested resource. Thus,
depending on the application, an actual request may still fail with 404 even
if the preflight request supported the usage of the HTTP method with CORS.
The implementation does not distinguish between simple requests and requests that require preflight. The client is free to omit a preflight request or do a preflight request in cases when it wouldn't be required.
For application authors it is strongly recommended to take into account the security considerations in section 6.3 of http://wwww.w3.org/TR/cors.
TODO
- We may consider adding optional enforcment aspects to this module: we may check if a request respects our origin restrictions and we may check that a CORS request respects the restrictions that we publish in the preflight responses.
- Even though slightly out of scope we may (optionally) check if host header matches the actual host of the resource, since clients using CORS may expect this, since this check is recommended in http://www.w3.org/TR/cors.
- We may consider integrating CORS policy handling more closely with the
handling of the source, for instance by integrating with
ActionM
from scotty.
simpleCors :: Middleware Source
A CORS middleware that supports simple cross-origin requests for all resources.
This middleware does not check if the resource corresponds to the restrictions for simple requests. This is in accordance with http://www.w3.org/TR/cors/. The client (user-agent) is supposed to enforcement CORS policy. The role of the server is to provide the client with the respective policy constraints.
It is out of the scope of the this module if the server chooses to enforce rules on its resources in relation to CORS policy itself.
Utils
isSimple :: Method -> RequestHeaders -> Bool Source
simpleResponseHeaders :: [HeaderName] Source
Simple HTTP response headers as defined in http://www.w3.org/TR/cors/
simpleMethods :: [Method] Source
Simple HTTP methods as defined in http://www.w3.org/TR/cors/