CORS
object CORS
Implements the CORS protocol. The actual middleware is a CORSPolicy, which can be obtained via policy.
- See also:
- Source:
- CORS.scala
Value members
Deprecated methods
@deprecated("The default `CORSConfig` is insecure. See https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6.", "0.21.27")
- Deprecated
- Source:
- CORS.scala
{
defcreateOptionsResponse(origin:Origin,acrm:Access-Control-Request-Method):Response[G]=corsHeaders(origin,acrm.method,isPreflight=true)(Response.apply[G](Response.apply$default$1[G],Response.apply$default$2[G],Response.apply$default$3[G],Response.apply$default$4[G],Response.apply$default$5[G]))
defmethodBasedHeader(isPreflight:Boolean):Option[Raw]=if(isPreflight)config.allowedHeaders.map[Raw](((_$4:Set[String])=>headerFromStrings("Access-Control-Allow-Headers",_$4)))elseconfig.exposedHeaders.map[Raw](((_$5:Set[String])=>headerFromStrings("Access-Control-Expose-Headers",_$5)))
defvaryHeader(response:Response[G]):Response[G]=response.headers.get(CIStringSyntax(_root_.scala.StringContext.apply("Vary")).ci())match{
caseNone=>
response.putHeaders(rawToRaw(defaultVaryHeader))
case_=>
response
}
defallowCredentialsHeader(resp:Response[G]):Response[G]=if(config.anyOrigin.unary_!.&&(config.allowCredentials))resp.putHeaders(keyValuesToRaw(ArrowAssoc[String]("Access-Control-Allow-Credentials").->[String]("true")))elseresp
defcorsHeaders(`origin₂`:Origin,method:Method,`isPreflight₂`:Boolean)(`resp₂`:Response[G]):Response[G]={
valwithMethodBasedHeader:Response[G]=methodBasedHeader(`isPreflight₂`).fold[Response[G]](`resp₂`)(((h:Raw)=>`resp₂`.putHeaders(rawToRaw(h))))
varyHeader(allowCredentialsHeader(withMethodBasedHeader)).putHeaders(keyValuesToRaw(ArrowAssoc[String]("Access-Control-Allow-Methods").->[String](config.allowedMethods.fold[String](method.renderString)(((_$6:Set[Method])=>_$6.mkString("",",",""))))),keyValuesToRaw(ArrowAssoc[String]("Access-Control-Allow-Origin").->[String](http4sHeaderSyntax[Origin](`origin₂`)(headerInstance).value)),keyValuesToRaw(ArrowAssoc[String]("Access-Control-Max-Age").->[String](config.maxAge.toSeconds.toString())))
}
defallowCORS(`origin₃`:Origin,`method₂`:Method):Boolean={
defallowOrigin:Boolean=config.anyOrigin.||(config.allowedOrigins.apply(http4sHeaderSyntax[Origin](`origin₃`)(headerInstance).value))
defallowMethod:Boolean=config.anyMethod.||(config.allowedMethods.exists(((_$7:Set[Method])=>_$7.exists(((_$8:Method)=>catsSyntaxEq[Method](_$8)(catsInstancesForHttp4sMethod).===(`method₂`))))))
allowOrigin.&&(allowMethod)
}
defheaderFromStrings(headerName:String,values:Set[String]):Header.Raw=Header.Raw.apply(CIString.apply(headerName),values.mkString("",",",""))
Tuple3.apply[Method,Option[Origin],Option[Access-Control-Request-Method]](req.method,req.headers.get[Origin](singleHeaders[Origin](headerInstance)),req.headers.get[Access-Control-Request-Method](singleHeaders[Access-Control-Request-Method](headerInstance)))match{
caseTuple3(OPTIONS,Some(origin),Some(acrm))ifallowCORS(`origin₄`,`acrm₂`.method)=>
logger.debug(_root_.scala.StringContext.apply("ServingOPTIONSwithCORSheadersfor","","").s(`acrm₂`,req.uri))
catsSyntaxApplicativeId[Response[G]](createOptionsResponse(`origin₄`,`acrm₂`)).pure[F](F)
caseTuple3(_,Some(origin),_)=>
if(allowCORS(`origin₅`,req.method))toFunctorOps[F,Response[G]](http.apply(req))(F).map[Response[G]](((`resp₃`:Response[G])=>{
logger.debug(_root_.scala.StringContext.apply("AddingCORSheadersto","","").s(req.method,req.uri))
corsHeaders(`origin₅`,req.method,isPreflight=false)(`resp₃`)
}))else{
logger.debug(_root_.scala.StringContext.apply("CORSheadersweredeniedfor","","").s(req.method,req.uri))
catsSyntaxApplicativeId[Response[G]](Response.apply[G](status=Status.Forbidden,Response.apply$default$2[G],Response.apply$default$3[G],Response.apply$default$4[G],Response.apply$default$5[G])).pure[F](F)
}
case_=>
http.apply(req)
}
}))
}" class="documentableAnchor">
@deprecated("Depends on a deficient `CORSConfig`. See https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6. If config.anyOrigin is true and config.allowCredentials is true, then the `Access-Control-Allow-Credentials` header will be suppressed starting with 0.22.3.", "0.21.27") @nowarn("cat=deprecation")
def {
defcreateOptionsResponse(origin:Origin,acrm:Access-Control-Request-Method):Response[G]=corsHeaders(origin,acrm.method,isPreflight=true)(Response.apply[G](Response.apply$default$1[G],Response.apply$default$2[G],Response.apply$default$3[G],Response.apply$default$4[G],Response.apply$default$5[G]))
defmethodBasedHeader(isPreflight:Boolean):Option[Raw]=if(isPreflight)config.allowedHeaders.map[Raw](((_$4:Set[String])=>headerFromStrings("Access-Control-Allow-Headers",_$4)))elseconfig.exposedHeaders.map[Raw](((_$5:Set[String])=>headerFromStrings("Access-Control-Expose-Headers",_$5)))
defvaryHeader(response:Response[G]):Response[G]=response.headers.get(CIStringSyntax(_root_.scala.StringContext.apply("Vary")).ci())match{
caseNone=>
response.putHeaders(rawToRaw(defaultVaryHeader))
case_=>
response
}
defallowCredentialsHeader(resp:Response[G]):Response[G]=if(config.anyOrigin.unary_!.&&(config.allowCredentials))resp.putHeaders(keyValuesToRaw(ArrowAssoc[String]("Access-Control-Allow-Credentials").->[String]("true")))elseresp
defcorsHeaders(`origin₂`:Origin,method:Method,`isPreflight₂`:Boolean)(`resp₂`:Response[G]):Response[G]={
valwithMethodBasedHeader:Response[G]=methodBasedHeader(`isPreflight₂`).fold[Response[G]](`resp₂`)(((h:Raw)=>`resp₂`.putHeaders(rawToRaw(h))))
varyHeader(allowCredentialsHeader(withMethodBasedHeader)).putHeaders(keyValuesToRaw(ArrowAssoc[String]("Access-Control-Allow-Methods").->[String](config.allowedMethods.fold[String](method.renderString)(((_$6:Set[Method])=>_$6.mkString("",",",""))))),keyValuesToRaw(ArrowAssoc[String]("Access-Control-Allow-Origin").->[String](http4sHeaderSyntax[Origin](`origin₂`)(headerInstance).value)),keyValuesToRaw(ArrowAssoc[String]("Access-Control-Max-Age").->[String](config.maxAge.toSeconds.toString())))
}
defallowCORS(`origin₃`:Origin,`method₂`:Method):Boolean={
defallowOrigin:Boolean=config.anyOrigin.||(config.allowedOrigins.apply(http4sHeaderSyntax[Origin](`origin₃`)(headerInstance).value))
defallowMethod:Boolean=config.anyMethod.||(config.allowedMethods.exists(((_$7:Set[Method])=>_$7.exists(((_$8:Method)=>catsSyntaxEq[Method](_$8)(catsInstancesForHttp4sMethod).===(`method₂`))))))
allowOrigin.&&(allowMethod)
}
defheaderFromStrings(headerName:String,values:Set[String]):Header.Raw=Header.Raw.apply(CIString.apply(headerName),values.mkString("",",",""))
Tuple3.apply[Method,Option[Origin],Option[Access-Control-Request-Method]](req.method,req.headers.get[Origin](singleHeaders[Origin](headerInstance)),req.headers.get[Access-Control-Request-Method](singleHeaders[Access-Control-Request-Method](headerInstance)))match{
caseTuple3(OPTIONS,Some(origin),Some(acrm))ifallowCORS(`origin₄`,`acrm₂`.method)=>
logger.debug(_root_.scala.StringContext.apply("ServingOPTIONSwithCORSheadersfor","","").s(`acrm₂`,req.uri))
catsSyntaxApplicativeId[Response[G]](createOptionsResponse(`origin₄`,`acrm₂`)).pure[F](F)
caseTuple3(_,Some(origin),_)=>
if(allowCORS(`origin₅`,req.method))toFunctorOps[F,Response[G]](http.apply(req))(F).map[Response[G]](((`resp₃`:Response[G])=>{
logger.debug(_root_.scala.StringContext.apply("AddingCORSheadersto","","").s(req.method,req.uri))
corsHeaders(`origin₅`,req.method,isPreflight=false)(`resp₃`)
}))else{
logger.debug(_root_.scala.StringContext.apply("CORSheadersweredeniedfor","","").s(req.method,req.uri))
catsSyntaxApplicativeId[Response[G]](Response.apply[G](status=Status.Forbidden,Response.apply$default$2[G],Response.apply$default$3[G],Response.apply$default$4[G],Response.apply$default$5[G])).pure[F](F)
}
case_=>
http.apply(req)
}
}))
}" class="documentableName deprecated">apply[F[_], G[_]](http: Http[F, G], config: CORSConfig)(implicit F: Applicative[F]): Http[F, G]
CORS middleware This middleware provides clients with CORS information based on information in CORS config. Currently, you cannot make permissions depend on request details
CORS middleware This middleware provides clients with CORS information based on information in CORS config. Currently, you cannot make permissions depend on request details
- Deprecated
- Source:
- CORS.scala
@deprecated("Hardcoded to an insecure config. See https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6.", "0.21.27")
- Deprecated
- Source:
- CORS.scala
@deprecated("Hardcoded to an insecure config. See https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6.", "0.21.27")
- Deprecated
- Source:
- CORS.scala
Concrete fields
The default CORS policy:
The default CORS policy:
- Sends
Access-Control-Allow-Origin: *
- Sends no
Access-Control-Allow-Credentials
- Sends no
Access-Control-Expose-Headers
- Sends
Access-Control-Allow-Methods: GET, HEAD, POST
- Reflects request's
Access-Control-Request-Headers
asAccess-Control-Allow-Headers
- Sends no
Access-Control-Max-Age
- Source:
- CORS.scala
Deprecated fields
@deprecated("Not the actual default CORS Vary heder, and will be removed from the public API.", "0.21.27")
- Deprecated
- Source:
- CORS.scala