CORS

object CORS

Implements the CORS protocol. The actual middleware is a CORSPolicy, which can be obtained via policy.

See also:
Source:
CORS.scala
class Object
trait Matchable
class Any
CORS.type

Value members

Deprecated methods

@deprecated("The default `CORSConfig` is insecure. See https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6.", "0.21.27")
Deprecated
Source:
CORS.scala
{ defcreateOptionsResponse(origin:Origin,acrm:Access-Control-Request-Method):Response[G]=corsHeaders(origin,acrm.method,isPreflight=true)(Response.apply[G](Response.apply$default$1[G],Response.apply$default$2[G],Response.apply$default$3[G],Response.apply$default$4[G],Response.apply$default$5[G])) defmethodBasedHeader(isPreflight:Boolean):Option[Raw]=if(isPreflight)config.allowedHeaders.map[Raw](((_$4:Set[String])=>headerFromStrings("Access-Control-Allow-Headers",_$4)))elseconfig.exposedHeaders.map[Raw](((_$5:Set[String])=>headerFromStrings("Access-Control-Expose-Headers",_$5))) defvaryHeader(response:Response[G]):Response[G]=response.headers.get(CIStringSyntax(_root_.scala.StringContext.apply("Vary")).ci())match{ caseNone=> response.putHeaders(rawToRaw(defaultVaryHeader)) case_=> response } defallowCredentialsHeader(resp:Response[G]):Response[G]=if(config.anyOrigin.unary_!.&&(config.allowCredentials))resp.putHeaders(keyValuesToRaw(ArrowAssoc[String]("Access-Control-Allow-Credentials").->[String]("true")))elseresp defcorsHeaders(`origin₂`:Origin,method:Method,`isPreflight₂`:Boolean)(`resp₂`:Response[G]):Response[G]={ valwithMethodBasedHeader:Response[G]=methodBasedHeader(`isPreflight₂`).fold[Response[G]](`resp₂`)(((h:Raw)=>`resp₂`.putHeaders(rawToRaw(h)))) varyHeader(allowCredentialsHeader(withMethodBasedHeader)).putHeaders(keyValuesToRaw(ArrowAssoc[String]("Access-Control-Allow-Methods").->[String](config.allowedMethods.fold[String](method.renderString)(((_$6:Set[Method])=>_$6.mkString("",",",""))))),keyValuesToRaw(ArrowAssoc[String]("Access-Control-Allow-Origin").->[String](http4sHeaderSyntax[Origin](`origin₂`)(headerInstance).value)),keyValuesToRaw(ArrowAssoc[String]("Access-Control-Max-Age").->[String](config.maxAge.toSeconds.toString()))) } defallowCORS(`origin₃`:Origin,`method₂`:Method):Boolean={ defallowOrigin:Boolean=config.anyOrigin.||(config.allowedOrigins.apply(http4sHeaderSyntax[Origin](`origin₃`)(headerInstance).value)) defallowMethod:Boolean=config.anyMethod.||(config.allowedMethods.exists(((_$7:Set[Method])=>_$7.exists(((_$8:Method)=>catsSyntaxEq[Method](_$8)(catsInstancesForHttp4sMethod).===(`method₂`)))))) allowOrigin.&&(allowMethod) } defheaderFromStrings(headerName:String,values:Set[String]):Header.Raw=Header.Raw.apply(CIString.apply(headerName),values.mkString("",",","")) Tuple3.apply[Method,Option[Origin],Option[Access-Control-Request-Method]](req.method,req.headers.get[Origin](singleHeaders[Origin](headerInstance)),req.headers.get[Access-Control-Request-Method](singleHeaders[Access-Control-Request-Method](headerInstance)))match{ caseTuple3(OPTIONS,Some(origin),Some(acrm))ifallowCORS(`origin₄`,`acrm₂`.method)=> logger.debug(_root_.scala.StringContext.apply("ServingOPTIONSwithCORSheadersfor","","").s(`acrm₂`,req.uri)) catsSyntaxApplicativeId[Response[G]](createOptionsResponse(`origin₄`,`acrm₂`)).pure[F](F) caseTuple3(_,Some(origin),_)=> if(allowCORS(`origin₅`,req.method))toFunctorOps[F,Response[G]](http.apply(req))(F).map[Response[G]](((`resp₃`:Response[G])=>{ logger.debug(_root_.scala.StringContext.apply("AddingCORSheadersto","","").s(req.method,req.uri)) corsHeaders(`origin₅`,req.method,isPreflight=false)(`resp₃`) }))else{ logger.debug(_root_.scala.StringContext.apply("CORSheadersweredeniedfor","","").s(req.method,req.uri)) catsSyntaxApplicativeId[Response[G]](Response.apply[G](status=Status.Forbidden,Response.apply$default$2[G],Response.apply$default$3[G],Response.apply$default$4[G],Response.apply$default$5[G])).pure[F](F) } case_=> http.apply(req) } })) }" class="documentableAnchor">
@deprecated("Depends on a deficient `CORSConfig`. See https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6. If config.anyOrigin is true and config.allowCredentials is true, then the `Access-Control-Allow-Credentials` header will be suppressed starting with 0.22.3.", "0.21.27") @nowarn("cat=deprecation")
def { defcreateOptionsResponse(origin:Origin,acrm:Access-Control-Request-Method):Response[G]=corsHeaders(origin,acrm.method,isPreflight=true)(Response.apply[G](Response.apply$default$1[G],Response.apply$default$2[G],Response.apply$default$3[G],Response.apply$default$4[G],Response.apply$default$5[G])) defmethodBasedHeader(isPreflight:Boolean):Option[Raw]=if(isPreflight)config.allowedHeaders.map[Raw](((_$4:Set[String])=>headerFromStrings("Access-Control-Allow-Headers",_$4)))elseconfig.exposedHeaders.map[Raw](((_$5:Set[String])=>headerFromStrings("Access-Control-Expose-Headers",_$5))) defvaryHeader(response:Response[G]):Response[G]=response.headers.get(CIStringSyntax(_root_.scala.StringContext.apply("Vary")).ci())match{ caseNone=> response.putHeaders(rawToRaw(defaultVaryHeader)) case_=> response } defallowCredentialsHeader(resp:Response[G]):Response[G]=if(config.anyOrigin.unary_!.&&(config.allowCredentials))resp.putHeaders(keyValuesToRaw(ArrowAssoc[String]("Access-Control-Allow-Credentials").->[String]("true")))elseresp defcorsHeaders(`origin₂`:Origin,method:Method,`isPreflight₂`:Boolean)(`resp₂`:Response[G]):Response[G]={ valwithMethodBasedHeader:Response[G]=methodBasedHeader(`isPreflight₂`).fold[Response[G]](`resp₂`)(((h:Raw)=>`resp₂`.putHeaders(rawToRaw(h)))) varyHeader(allowCredentialsHeader(withMethodBasedHeader)).putHeaders(keyValuesToRaw(ArrowAssoc[String]("Access-Control-Allow-Methods").->[String](config.allowedMethods.fold[String](method.renderString)(((_$6:Set[Method])=>_$6.mkString("",",",""))))),keyValuesToRaw(ArrowAssoc[String]("Access-Control-Allow-Origin").->[String](http4sHeaderSyntax[Origin](`origin₂`)(headerInstance).value)),keyValuesToRaw(ArrowAssoc[String]("Access-Control-Max-Age").->[String](config.maxAge.toSeconds.toString()))) } defallowCORS(`origin₃`:Origin,`method₂`:Method):Boolean={ defallowOrigin:Boolean=config.anyOrigin.||(config.allowedOrigins.apply(http4sHeaderSyntax[Origin](`origin₃`)(headerInstance).value)) defallowMethod:Boolean=config.anyMethod.||(config.allowedMethods.exists(((_$7:Set[Method])=>_$7.exists(((_$8:Method)=>catsSyntaxEq[Method](_$8)(catsInstancesForHttp4sMethod).===(`method₂`)))))) allowOrigin.&&(allowMethod) } defheaderFromStrings(headerName:String,values:Set[String]):Header.Raw=Header.Raw.apply(CIString.apply(headerName),values.mkString("",",","")) Tuple3.apply[Method,Option[Origin],Option[Access-Control-Request-Method]](req.method,req.headers.get[Origin](singleHeaders[Origin](headerInstance)),req.headers.get[Access-Control-Request-Method](singleHeaders[Access-Control-Request-Method](headerInstance)))match{ caseTuple3(OPTIONS,Some(origin),Some(acrm))ifallowCORS(`origin₄`,`acrm₂`.method)=> logger.debug(_root_.scala.StringContext.apply("ServingOPTIONSwithCORSheadersfor","","").s(`acrm₂`,req.uri)) catsSyntaxApplicativeId[Response[G]](createOptionsResponse(`origin₄`,`acrm₂`)).pure[F](F) caseTuple3(_,Some(origin),_)=> if(allowCORS(`origin₅`,req.method))toFunctorOps[F,Response[G]](http.apply(req))(F).map[Response[G]](((`resp₃`:Response[G])=>{ logger.debug(_root_.scala.StringContext.apply("AddingCORSheadersto","","").s(req.method,req.uri)) corsHeaders(`origin₅`,req.method,isPreflight=false)(`resp₃`) }))else{ logger.debug(_root_.scala.StringContext.apply("CORSheadersweredeniedfor","","").s(req.method,req.uri)) catsSyntaxApplicativeId[Response[G]](Response.apply[G](status=Status.Forbidden,Response.apply$default$2[G],Response.apply$default$3[G],Response.apply$default$4[G],Response.apply$default$5[G])).pure[F](F) } case_=> http.apply(req) } })) }" class="documentableName deprecated">apply[F[_], G[_]](http: Http[F, G], config: CORSConfig)(implicit F: Applicative[F]): Http[F, G]

CORS middleware This middleware provides clients with CORS information based on information in CORS config. Currently, you cannot make permissions depend on request details

CORS middleware This middleware provides clients with CORS information based on information in CORS config. Currently, you cannot make permissions depend on request details

Deprecated
Source:
CORS.scala
@deprecated("Hardcoded to an insecure config. See https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6.", "0.21.27")
def httpApp[F[_] : Applicative](httpApp: HttpApp[F]): HttpApp[F]
Deprecated
Source:
CORS.scala
@deprecated("Hardcoded to an insecure config. See https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6.", "0.21.27")
def httpRoutes[F[_] : Monad](httpRoutes: HttpRoutes[F]): HttpRoutes[F]
Deprecated
Source:
CORS.scala

Concrete fields

The default CORS policy:

The default CORS policy:

  • Sends Access-Control-Allow-Origin: *
  • Sends no Access-Control-Allow-Credentials
  • Sends no Access-Control-Expose-Headers
  • Sends Access-Control-Allow-Methods: GET, HEAD, POST
  • Reflects request's Access-Control-Request-Headers as Access-Control-Allow-Headers
  • Sends no Access-Control-Max-Age
Source:
CORS.scala

Deprecated fields

@deprecated("Not the actual default CORS Vary heder, and will be removed from the public API.", "0.21.27")
Deprecated
Source:
CORS.scala