wai-cors 0.2.5 → 0.2.6
raw patch · 7 files changed
+130/−109 lines, 7 filesdep ~filepath
Dependency ranges changed: filepath
Files
- CHANGELOG.md +10/−0
- README.md +3/−4
- constraints +0/−82
- examples/ServantWai.hs +49/−0
- examples/Wai.hs +26/−0
- src/Network/Wai/Middleware/Cors.hs +25/−11
- wai-cors.cabal +17/−12
CHANGELOG.md view
@@ -1,3 +1,13 @@+0.2.6 (2017-12-01)+==================++* Removed ghc-7.6.3 and versions of wai<3.0 from the CI test matrix.+ These versions are still supported in the code but cabal may need some+ manual help to resolve dependencies.++* Fixes and improvements to the documentation. Thanks to Frederik Hanghøj+ Iversen, Alex Collins, and Maximilian Tagher.+ 0.2.5 =====
README.md view
@@ -48,7 +48,6 @@ [scotty](http://hackage.haskell.org/package/scotty) application. ```.haskell-{-# LANGUAGE UnicodeSyntax #-} {-# LANGUAGE OverloadedStrings #-} module Main@@ -58,17 +57,17 @@ import Network.Wai.Middleware.Cors import Web.Scotty -main ∷ IO ()+main :: IO () main = scotty 8080 $ do middleware simpleCors- matchAny "/" $ text "Success"+ matchAny "/" $ text "Success" ``` The result of following curl command will include the HTTP response header `Access-Control-Allow-Origin: *`. ```.bash-curl -i http://127.0.0.1:8888 -H 'Origin: 127.0.0.1' -v+curl -i http://127.0.0.1:8080 -H 'Origin: 127.0.0.1' -v ``` Documentation for more general usage can be found in the module
− constraints
@@ -1,82 +0,0 @@-constraints: SHA ==1.6.4.2,- ansi-terminal ==0.6.2.1,- ansi-wl-pprint ==0.6.7.2,- appar ==0.1.4,- array ==0.5.1.0,- async ==2.0.2,- attoparsec ==0.13.0.0,- auto-update ==0.1.2.1,- base ==4.8.0.0,- base-unicode-symbols ==0.2.2.4,- base64-bytestring ==1.0.0.1,- binary ==0.7.3.0,- blaze-builder ==0.4.0.1,- byteorder ==1.0.4,- bytestring ==0.10.6.0,- bytestring-builder ==0.10.6.0.0,- case-insensitive ==1.2.0.4,- charset ==0.3.7.1,- containers ==0.5.6.2,- cookie ==0.4.1.5,- data-default-class ==0.0.1,- deepseq ==1.4.1.1,- directory ==1.2.2.0,- easy-file ==0.2.1,- entropy ==0.3.6,- exceptions ==0.8.0.2,- fast-logger ==2.3.1,- filepath ==1.4.0.0,- ghc-prim ==0.4.0.0,- hashable ==1.2.3.2,- http-date ==0.0.6.1,- http-types ==0.8.6,- integer-gmp ==1.0.0.0,- iproute ==1.4.0,- lifted-base ==0.2.3.6,- mmorph ==1.0.4,- monad-control ==1.0.0.4,- mtl ==2.2.1,- nats ==1,- network ==2.6.1.0,- old-locale ==1.0.0.7,- old-time ==1.1.0.3,- optparse-applicative ==0.11.0.2,- parsec ==3.1.9,- parsers ==0.12.2.1,- pretty ==1.1.2.0,- process ==1.2.3.0,- random ==1.1,- regex-base ==0.93.2,- regex-tdfa-rc ==1.1.8.3,- resourcet ==1.1.5,- rts ==1.0,- scientific ==0.3.3.8,- semigroups ==0.16.2.2,- simple-sendfile ==0.2.20,- stm ==2.4.4,- streaming-commons ==0.1.12.1,- stringsearch ==0.3.6.6,- tagged ==0.8.0.1,- tasty ==0.10.1.2,- tasty-hunit ==0.9.2,- template-haskell ==2.10.0.0,- text ==1.2.1.0,- time ==1.5.0.1,- transformers ==0.4.2.0,- transformers-base ==0.4.4,- transformers-compat ==0.4.0.4,- unbounded-delays ==0.1.0.9,- unix ==2.7.1.0,- unix-compat ==0.4.1.4,- unix-time ==0.3.5,- unordered-containers ==0.2.5.1,- vault ==0.3.0.4,- void ==0.7,- wai ==3.0.2.3,- wai-extra ==3.0.7.1,- wai-logger ==2.2.4,- wai-websockets ==3.0.0.5,- warp ==3.0.13.1,- websockets ==0.9.5.0,- word8 ==0.1.2,- zlib ==0.5.4.2
+ examples/ServantWai.hs view
@@ -0,0 +1,49 @@+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE OverloadedStrings #-}+{-# LANGUAGE TemplateHaskell #-}+{-# LANGUAGE TypeOperators #-}++import Data.Aeson+import Data.Aeson.TH+import Network.Wai+import Network.Wai.Handler.Warp+import Network.Wai.Middleware.Cors+import Servant++data User = User+ { userId :: Int+ , userFirstName :: String+ , userLastName :: String+ } deriving (Eq, Show)++$(deriveJSON defaultOptions ''User)++type API = "users" :> Get '[JSON] [User]++-- | Configure an Application with a CORS policy+app :: Application+app = (cors (const policy)) $ serve api server+ where policy = Just CorsResourcePolicy {+ corsOrigins = Nothing+ , corsMethods = ["GET"]+ , corsRequestHeaders = ["authorization", "content-type"]+ , corsExposedHeaders = Nothing+ , corsMaxAge = Just $ 60*60*24 -- one day+ , corsVaryOrigin = False+ , corsRequireOrigin = True+ , corsIgnoreFailures = False+ }++api :: Proxy API+api = Proxy++server :: Server API+server = return users++users :: [User]+users = [ User 1 "Isaac" "Newton"+ , User 2 "Albert" "Einstein"+ ]++main :: IO ()+main = run 8080 app
+ examples/Wai.hs view
@@ -0,0 +1,26 @@+{-# LANGUAGE UnicodeSyntax #-}++-- |+-- Module: Wai+-- Description: Example for using wai-cors with a plain wai app+-- Copyright: Copyright © 2017 Lars Kuhtz <lakuhtz@gmail.com>.+-- License: MIT+-- Maintainer: Lars Kuhtz <lakuhtz@gmail.com>+-- Stability: experimental+--+module Wai+( main+) where++import Network.HTTP.Types.Status+import Network.Wai+import Network.Wai.Middleware.Cors+import Network.Wai.Handler.Warp++main ∷ IO ()+main = run 8080 $ simpleCors $ echo++echo ∷ Application+echo req respond =+ respond . responseLBS ok200 [] =<< lazyRequestBody req+
src/Network/Wai/Middleware/Cors.hs view
@@ -30,7 +30,7 @@ -- complying with the CORS standard it enables the client (i.e. the web -- browser) to enforce the CORS policy. For application authors it is strongly -- recommended to take into account the security considerations in section 6.3--- of <http://wwww.w3.org/TR/cors>. In particular the application should check+-- of <http://www.w3.org/TR/cors>. In particular the application should check -- that the value of the @Origin@ header matches it's expectations. -- -- = Websockets@@ -137,7 +137,7 @@ -- -- A value of 'Nothing' indicates unrestricted cross-origin sharing and -- results in @*@ as value for the @Access-Control-Allow-Origin@ HTTP- -- response header.+ -- response header. Note if you send @*@, credentials cannot be sent with the request. -- -- A value other than 'Nothing' is a tuple that consists of a list of -- origins each with a Boolean flag that indicates if credentials are used@@ -148,6 +148,10 @@ -- particular the string @*@ is not a valid origin (but the string @null@ -- is). --+ -- Credentials include cookies, authorization headers and TLS client certificates.+ -- For credentials to be sent with requests, the @withCredentials@ setting of+ -- @XmlHttpRequest@ in the browser must be set to @true@.+ -- corsOrigins ∷ !(Maybe ([Origin], Bool)) -- | HTTP methods that are allowed in CORS requests.@@ -156,16 +160,19 @@ -- | Field names of HTTP request headers that are allowed in CORS requests. -- Header names that are included in 'simpleHeaders', except for- -- @content-type@, are implicitely included an thus optional in this list.+ -- @content-type@, are implicitly included and thus optional in this list. -- , corsRequestHeaders ∷ ![HTTP.HeaderName] - -- | Field names of HTTP headers that are exposed on the client.+ -- | Field names of HTTP headers that are exposed to the client in the response. -- , corsExposedHeaders ∷ !(Maybe [HTTP.HeaderName]) - -- | Number of seconds that the response may be cached by the client.+ -- | Number of seconds that the OPTIONS preflight response may be cached by the client. --+ -- Tip: Set this to 'Nothing' while testing your CORS implementation, then increase+ -- it once you deploy to production.+ -- , corsMaxAge ∷ !(Maybe Int) -- | If the resource is shared by multiple origins but@@ -203,6 +210,8 @@ -- * an response with HTTP status 400 (bad request) and short -- error message is returned if this field is 'False'. --+ -- Note: Your application needs to will receive preflight OPTIONS requests if set to 'True'.+ -- -- @since 0.2 -- , corsIgnoreFailures ∷ !Bool@@ -285,7 +294,7 @@ -- a preflight request in cases when it wouldn't be required. -- -- For application authors it is strongly recommended to take into account the--- security considerations in section 6.3 of <http://wwww.w3.org/TR/cors>.+-- security considerations in section 6.3 of <http://www.w3.org/TR/cors>. -- -- /TODO/ --@@ -445,9 +454,9 @@ -- -- This middleware does not check if the resource corresponds to the -- restrictions for simple requests. This is in accordance with--- <http://www.w3.org/TR/cors/>. The client (user-agent) is supposed to--- enforcement CORS policy. The role of the server is to provide the client--- with the respective policy constraints.+-- <http://www.w3.org/TR/cors/>. It is the responsibility of the +-- client (user-agent) to enforce CORS policy. The role of the server+-- is to provide the client with the respective policy constraints. -- -- It is out of the scope of the this module if the server chooses to -- enforce rules on its resources in relation to CORS policy itself.@@ -458,7 +467,7 @@ -- -------------------------------------------------------------------------- -- -- Definition from Standards --- | Simple HTTP response headers as defined in <http://www.w3.org/TR/cors/>+-- | Simple HTTP response headers as defined in <https://www.w3.org/TR/cors/#simple-response-header> -- simpleResponseHeaders ∷ [HTTP.HeaderName] simpleResponseHeaders =@@ -470,6 +479,7 @@ , "Pragma" ] +-- | Simple HTTP headers are defined in <https://www.w3.org/TR/cors/#simple-header> simpleHeaders ∷ [HTTP.HeaderName] simpleHeaders = [ "Accept"@@ -478,6 +488,7 @@ , "Content-Type" ] +-- | Simple content types are defined in <https://www.w3.org/TR/cors/#simple-header> simpleContentTypes ∷ [CI.CI B8.ByteString] simpleContentTypes = [ "application/x-www-form-urlencoded"@@ -486,7 +497,7 @@ ] --- | Simple HTTP methods as defined in <http://www.w3.org/TR/cors/>+-- | Simple HTTP methods as defined in <https://www.w3.org/TR/cors/#simple-method> -- simpleMethods ∷ [HTTP.Method] simpleMethods =@@ -495,6 +506,9 @@ , "POST" ] +-- | Whether the given method and headers constitute a simple request,+-- i.e. the method is simple, all headers are simple, and, if a POST request,+-- the content-type is simple. isSimple ∷ HTTP.Method → HTTP.RequestHeaders → Bool isSimple method headers = method `elem` simpleMethods
wai-cors.cabal view
@@ -1,10 +1,10 @@ -- ------------------------------------------------------ ----- Copyright © 2015-2016 Lars Kuhtz <lakuhtz@gmail.com>+-- Copyright © 2015-2017 Lars Kuhtz <lakuhtz@gmail.com> -- Copyright © 2014 AlephCloud Systems, Inc. -- ------------------------------------------------------ -- Name: wai-cors-Version: 0.2.5+Version: 0.2.6 Synopsis: CORS for WAI Description:@@ -20,20 +20,21 @@ Author: Lars Kuhtz <lakuhtz@gmail.com> Maintainer: Lars Kuhtz <lakuhtz@gmail.com> Copyright:- (c) 2015-2016 Lars Kuhtz <lakuhtz@gmail.com>,+ (c) 2015-2017 Lars Kuhtz <lakuhtz@gmail.com>, (c) 2014 AlephCloud Systems, Inc. Category: HTTP, Network, Web, Yesod Build-type: Simple Cabal-version: >= 1.14.0-tested-with: GHC == 7.6.3, GHC == 7.8.4, GHC == 7.10.3, GHC == 8.0.1+tested-with: GHC == 7.8.4, GHC == 7.10.3, GHC == 8.0.2, GHC == 8.2.1, GHC == 8.2.2 data-files: README.md CHANGELOG.md- constraints test/index.html test/phantomjs.js examples/Scotty.hs+ examples/Wai.hs+ examples/ServantWai.hs source-repository head type: git@@ -43,7 +44,7 @@ source-repository this type: git location: https://github.com/larskuhtz/wai-cors- tag: 0.2.5+ tag: 0.2.6 flag transformers-3 description: use transformers<0.3 (this is set automatically)@@ -120,9 +121,13 @@ text >= 1.2, wai-cors - -- we only build the tests suite with the most recent wai version- -- cabal fails to resolves the old dependencies otherwise.- if flag (wai-1) || flag (wai-2)+ if impl(ghc < 7.8)+ build-depends:+ filepath < 1.4.1.2++ -- We only build the tests suite with the more recent versions of wai and ghc.+ -- Cabal fails to resolves the old dependencies otherwise.+ if flag (wai-1) || flag (wai-2) || impl(ghc < 7.10) buildable: False else build-depends:@@ -147,9 +152,9 @@ tasty-hunit >= 0.9, wai-cors - -- we only build the tests suite with the most recent wai version- -- cabal fails to resolves the old dependencies otherwise.- if flag (wai-1) || flag (wai-2)+ -- We only build the tests suite with the more recent versions of wai and ghc.+ -- Cabal fails to resolves the old dependencies otherwise.+ if flag (wai-1) || flag (wai-2) || impl(ghc < 7.10) buildable: False else build-depends: