CORSPolicy

org.http4s.server.middleware.CORSPolicy
See theCORSPolicy companion object
sealed class CORSPolicy(allowOrigin: AllowOrigin, allowCredentials: AllowCredentials, exposeHeaders: ExposeHeaders, allowMethods: AllowMethods, allowHeaders: AllowHeaders, maxAge: MaxAge)

A middleware that applies the CORS protocol to any Http value. Obtain a reference to a CORSPolicy via the CORS object, which represents a default policy.

Requests with an Origin header will receive the appropriate CORS headers. More headers are available for "pre-flight" requests, those whose method is OPTIONS and has an Access-Control-Request-Method header.

Requests without the required headers, or requests that fail a CORS origin, method, or headers check are passed through to the underlying Http function, but do not receive any CORS headers in the response. The user agent will then block sharing the resource across origins according to the CORS protocol.

Attributes

Companion:
object
Source:
CORS.scala
Graph
Supertypes
class Object
trait Matchable
class Any

Members list

Concise view

Value members

Concrete methods

def apply[F[_] : Applicative, G[_]](http: Http[F, G]): Http[F, G]

Attributes

Source:
CORS.scala

Attributes

Source:
CORS.scala

Attributes

Source:
CORS.scala
def None } valsomeAllowMethodsSpecificHeader:Option[Raw]=allowMethodsmatch{ caseAllowMethods.All=> None caseAllowMethods.In(methods)=> catsSyntaxOptionId[Raw](Header.Raw.apply(Access-Control-Allow-Methods.name,methods.map[String](((_$18:Method)=>_$18.renderString)).mkString(","))).some } valmaxAgeHeader:Option[Raw]=maxAgematch{ caseMaxAge.Some(deltaSeconds)=> catsSyntaxOptionId[Raw](Header.Raw.apply(Access-Control-Max-Age.name,deltaSeconds.toString())).some caseMaxAge.Default=> None caseMaxAge.DisableCaching=> catsSyntaxOptionId[Raw](Header.Raw.apply(Access-Control-Max-Age.name,"-1")).some } valvaryHeaderNonOptions:Option[Raw]=allowOriginmatch{ caseAllowOrigin.Match(_)=> catsSyntaxOptionId[Raw](Header.Raw.apply(CIStringSyntax(_root_.scala.StringContext.apply("Vary")).ci(),Header.apply[Origin](headerInstance).name.toString)).some case_=> None } valvaryHeaderOptions:Option[Raw]={ deforigin:List[CIString]=allowOriginmatch{ caseAllowOrigin.All=> Nil caseAllowOrigin.Match(_)=> List.apply[CIString](Header.apply[Origin](headerInstance).name) } def`methods₂`:List[CIString]=allowMethodsmatch{ caseAllowMethods.All=> Nil caseAllowMethods.In(_)=> List.apply[CIString](Header.apply[Access-Control-Request-Method](headerInstance).name) } defheaders:List[CIString]=allowHeadersmatch{ case(AllowHeaders.All|AllowHeaders.Static(_))=> Nil case(AllowHeaders.In(_)|AllowHeaders.Reflect)=> List.apply[CIString](CIStringSyntax(_root_.scala.StringContext.apply("Access-Control-Request-Headers")).ci()) } origin.++[CIString](`methods₂`).++[CIString](headers)match{ caseNil=> None casenonEmpty=> catsSyntaxOptionId[Raw](Header.Raw.apply(CIStringSyntax(_root_.scala.StringContext.apply("Vary")).ci(),nonEmpty.map[String](((_$19:CIString)=>_$19.toString)).mkString(","))).some } } defdispatch(req:Request[G]):F[Response[G]]=req.headers.get[Origin](singleHeaders[Origin](headerInstance))match{ caseSome(origin)=> req.methodmatch{ caseMethod.OPTIONS=> req.headers.get[Access-Control-Request-Method](singleHeaders[Access-Control-Request-Method](headerInstance))match{ caseSome(acrm)=> val`headers₂`:Set[CIString]=req.headers.get(CIStringSyntax(_root_.scala.StringContext.apply("Access-Control-Request-Headers")).ci())match{ caseSome(acrHeaders)=> toFoldableOps[NonEmptyList,Set[CIString]](acrHeaders.map[Set[CIString]](((_$20:Raw)=>wrapRefArray[CIString](refArrayOps[String](_$20.value.split("\\s*,\\s*")).map[CIString](((_$21:String)=>CIString.apply(_$21)))(ClassTag.apply[CIString](classOf[CIString]))).toSet[CIString])))(catsDataInstancesForNonEmptyListBinCompat1).fold(catsKernelBoundedSemilatticeForSet[CIString]) caseNone=> Set.empty[CIString] } preflight(req,`origin₂`,acrm.method,`headers₂`) caseNone=> nonPreflight(req,`origin₂`) } case_=> nonPreflight(req,`origin₂`) } caseNone=> nonCors(req) } defnonPreflight(`req₂`:Request[G],`origin₃`:Origin):F[Response[G]]={ valbuff:Builder[Raw,List[Raw]]=List.newBuilder[Header.Raw] allowOriginHeader(`origin₃`).map[Builder[Raw,List[Raw]]](((allowOrigin:Raw)=>{ buff.+=(allowOrigin) allowCredentialsHeader.foreach[Builder[Raw,List[Raw]]](((elem:Raw)=>buff.+=(elem))) exposeHeadersHeader.foreach[Builder[Raw,List[Raw]]](((`elem₂`:Raw)=>buff.+=(`elem₂`))) buff })) toFunctorOps[F,Response[G]](toFunctorOps[F,Response[G]](http.apply(`req₂`))(evidence$6).map[Response[G]](((_$22:Response[G])=>_$22.putHeaders(buff.result().map[ToRaw&Primitive](((h:Raw)=>Header.ToRaw.rawToRaw(h))):_*))))(evidence$6).map[Response[G]](((resp:Response[G])=>varyHeader(`req₂`.method)(resp))) } defpreflight(`req₃`:Request[G],`origin₄`:Origin,method:Method,`headers₃`:Set[CIString]):F[Response[G]]={ val`buff₂`:Builder[Raw,List[Raw]]=List.newBuilder[Header.Raw] catsSyntaxTuple3Semigroupal[Option,Raw,Raw,Raw](Tuple3.apply[Option[Raw],Option[Raw],Option[Raw]](allowOriginHeader(`origin₄`),allowMethodsHeader(method),allowHeadersHeader(`headers₃`))).mapN[Unit](((x$1:Raw,x$2:Raw,x$3:Raw)=>Tuple3.apply[Raw,Raw,Raw](x$1,x$2,x$3)match{ caseTuple3(allowOrigin,allowMethods,allowHeaders)=> `buff₂`.+=(`allowOrigin₂`) allowCredentialsHeader.foreach[Builder[Raw,List[Raw]]](((`elem₃`:Raw)=>`buff₂`.+=(`elem₃`))) `buff₂`.+=(allowMethods) `buff₂`.+=(allowHeaders) maxAgeHeader.foreach[Builder[Raw,List[Raw]]](((`elem₄`:Raw)=>`buff₂`.+=(`elem₄`))) }))(catsInstancesForOption,catsSemigroupalForOption) toFunctorOps[F,Response[G]](toFunctorOps[F,Response[G]](preflightResponder.apply(`req₃`))(evidence$6).map[Response[G]](((_$23:Response[G])=>_$23.putHeaders(`buff₂`.result().map[ToRaw&Primitive](((`h₂`:Raw)=>Header.ToRaw.rawToRaw(`h₂`))):_*))))(evidence$6).map[Response[G]]({ valmethod$1:Method=Method.OPTIONS ((`resp₂`:Response[G])=>varyHeader(method$1)(`resp₂`)) }) } defnonCors(`req₄`:Request[G]):F[Response[G]]=toFunctorOps[F,Response[G]](http.apply(`req₄`))(evidence$6).map[Response[G]](((`resp₃`:Response[G])=>varyHeader(`req₄`.method)(`resp₃`))) defallowOriginHeader(`origin₅`:Origin):Option[Raw]=allowOriginmatch{ caseAllowOrigin.All=> CommonHeaders.someAllowOriginWildcard caseAllowOrigin.Match(p)=> if(p.apply(`origin₅`))catsSyntaxOptionId[Raw](Header.Raw.apply(CIStringSyntax(_root_.scala.StringContext.apply("Access-Control-Allow-Origin")).ci(),http4sHeaderSyntax[Origin](`origin₅`)(headerInstance).value)).someelseNone } defallowMethodsHeader(`method₂`:Method):Option[Raw]=allowMethodsmatch{ caseAllowMethods.All=> if(allowCredentials.==(AllowCredentials.Deny).||(catsSyntaxEq[Method](`method₂`)(catsInstancesForHttp4sMethod).===(wildcardMethod)))CommonHeaders.someAllowMethodsWildcardelseNone caseAllowMethods.In(methods)=> if(`methods₃`.contains(`method₂`))someAllowMethodsSpecificHeaderelseNone } defsomeAllowHeadersHeader(`headers₄`:Set[CIString]):Option[Raw]=catsSyntaxOptionId[Raw](Header.Raw.apply(Header.apply[Access-Control-Allow-Headers](headerInstance).name,`headers₄`.map[String](((_$24:CIString)=>_$24.toString)).mkString(","))).some defallowHeadersHeader(requestHeaders:Set[CIString]):Option[Raw]=allowHeadersmatch{ caseAllowHeaders.All=> if(allowCredentials.==(AllowCredentials.Deny).||(catsSyntaxEq[Set[CIString]](requestHeaders)(catsKernelPartialOrderForSet[CIString]).===(wildcardHeadersSet)))CommonHeaders.someAllowHeadersWildcardelseNone caseAllowHeaders.Static(allowedHeaders)=> someAllowHeadersHeader(allowedHeaders) caseAllowHeaders.In(allowedHeaders)=> if(requestHeaders.--(`allowedHeaders₂`).isEmpty)someAllowHeadersHeader(`allowedHeaders₂`)elseNone caseAllowHeaders.Reflect=> someAllowHeadersHeader(requestHeaders) } defvaryHeader(`method₃`:Method)(`resp₄`:Response[G]):Self=(`method₃`match{ caseMethod.OPTIONS=> varyHeaderOptions case_=> varyHeaderNonOptions })match{ caseSome(vary)=> `resp₄`.putHeaders(`resp₄`.headers.get(CIStringSyntax(_root_.scala.StringContext.apply("Vary")).ci())match{ caseNone=> rawToRaw(vary) caseSome(oldVary)=> rawToRaw(Header.Raw.apply(CIStringSyntax(_root_.scala.StringContext.apply("Vary")).ci(),oldVary.map[String](((_$25:Raw)=>_$25.value)).toList.mkString(",").+(",").+(vary.value))) }) caseNone=> `resp₄` } if(allowOrigin.==(AllowOrigin.All).&&(allowCredentials.==(AllowCredentials.Allow))){ logger.warn("CORSdisabledduetoinsecureconfigprohibitedbyspec.CallwithCredentials(false)toavoidsharingcredential-taintedresponseswitharbitraryorigins,orcallwithAllowOrigin*methodtobeexplicitwhoyoutrustwithcredential-taintedresponses.").unsafeRunSync() http }elseKleisli.apply[F,Request[G],Response[G]](((`req₅`:Request[G])=>dispatch(`req₅`))) }" t="n"class="documentableName ">impl[F[_] : Functor, G[_]](http: Http[F, G], preflightResponder: Http[F, G]): Http[F, G]

Attributes

Source:
CORS.scala

Allow credentials. Sends an Access-Control-Allow-Credentials: * on valid CORS requests if true, and omits the header if false.

Allow credentials. Sends an Access-Control-Allow-Credentials: * on valid CORS requests if true, and omits the header if false.

For security purposes, it is an invalid per the Fetch Living Standard that defines CORS to set this to true when any origin is allowed.

Attributes

Source:
CORS.scala

Allows CORS requests with any headers if credentials are not allowed. If credentials are allowed, allows requests with a literal header name of *, which is almost certainly not what you mean, but per spec.

Allows CORS requests with any headers if credentials are not allowed. If credentials are allowed, allows requests with a literal header name of *, which is almost certainly not what you mean, but per spec.

Sends an Access-Control-Allow-Headers: * header on valid CORS preflight requests.

Attributes

Source:
CORS.scala

Allows CORS requests whose request headers are a subset of the headers enumerated here, or are CORS-safelisted.

Allows CORS requests whose request headers are a subset of the headers enumerated here, or are CORS-safelisted.

If preflight requests send an Access-Control-Request-Headers header, its value must be a subset of those passed here.

Sends an Access-Control-Allow-Headers header with the specified headers on valid CORS preflight requests.

Attributes

Source:
CORS.scala

Reflects the Access-Control-Request-Headers back as Access-Control-Allow-Headers on preflight requests. This is most useful when credentials are allowed and a wildcard for Access-Control-Allow-Headers would be treated literally.

Reflects the Access-Control-Request-Headers back as Access-Control-Allow-Headers on preflight requests. This is most useful when credentials are allowed and a wildcard for Access-Control-Allow-Headers would be treated literally.

Sends an Access-Control-Allow-Headers header with the specified headers on valid CORS preflight requests.

Attributes

Source:
CORS.scala

Returns a static value in Access-Control-Allow-Headers on preflight requests consisting of the supplied headers.

Returns a static value in Access-Control-Allow-Headers on preflight requests consisting of the supplied headers.

Sends an Access-Control-Allow-Headers header with the specified headers on valid CORS preflight requests.

Attributes

Source:
CORS.scala

Allows CORS requests with any method if credentials are not allowed. If credentials are allowed, allows requests with a literal method of *, which is almost certainly not what you mean, but per spec.

Allows CORS requests with any method if credentials are not allowed. If credentials are allowed, allows requests with a literal method of *, which is almost certainly not what you mean, but per spec.

Sends an Access-Control-Allow-Headers: * header on valid CORS preflight requests.

Attributes

Source:
CORS.scala

Allows CORS requests with any of the specified methods allowed.

Allows CORS requests with any of the specified methods allowed.

Preflight requests must send a matching Access-Control-Request-Method header to receive a CORS response.

Sends an Access-Control-Allow-Headers header with the specified headers on valid CORS preflight requests.

Attributes

Source:
CORS.scala

Allow CORS requests from any origin with an Access-Control-Allow-Origin of *.

Allow CORS requests from any origin with an Access-Control-Allow-Origin of *.

Attributes

Source:
CORS.scala

Allow requests from any origin matching the predicate p. On matching requests, the request origin is reflected as the Access-Control-Allow-Origin header.

Allow requests from any origin matching the predicate p. On matching requests, the request origin is reflected as the Access-Control-Allow-Origin header.

The Origin header contains some arcane settings, like multiple origins, or a null origin. withAllowOriginHost is generally more convenient.

Attributes

Source:
CORS.scala

Allow requests from any origin host matching the predicate p. The origin host is the first value in the request's Origin header, if not null header, unless it is null. Examples:

Allow requests from any origin host matching the predicate p. The origin host is the first value in the request's Origin header, if not null header, unless it is null. Examples:

  • Origin: http://www.example.com => http://www.example.com
  • Origin: http://www.example.com, http://example.net => http://www.example.com
  • Origin: null => always false

A Set[Origin.Host] is often a good choice here, but a predicate is offered to support more advanced matching.

Attributes

Source:
CORS.scala

Allow requests from any origin host whose case-insensitive rendering matches predicate p. A concession to the fact that constructing org.http4s.headers.Origin.Host values is verbose.

Allow requests from any origin host whose case-insensitive rendering matches predicate p. A concession to the fact that constructing org.http4s.headers.Origin.Host values is verbose.

Attributes

See also:
Source:
CORS.scala

Exposes all response headers to the origin.

Exposes all response headers to the origin.

Sends an Access-Control-Expose-Headers: * header on valid CORS non-preflight requests.

Attributes

Source:
CORS.scala

Exposes specific response headers to the origin. These are in addition to CORS-safelisted response headers.

Exposes specific response headers to the origin. These are in addition to CORS-safelisted response headers.

Sends an Access-Control-Expose-Headers header with names as a comma-delimited string on valid CORS non-preflight requests.

Attributes

Source:
CORS.scala

Exposes no response headers to the origin beyond the CORS-safelisted response headers.

Exposes no response headers to the origin beyond the CORS-safelisted response headers.

Sends an Access-Control-Expose-Headers header with names as a comma-delimited string on valid CORS non-preflight requests.

Attributes

Source:
CORS.scala

Sets the duration the results can be cached. The duration is truncated to seconds. A negative value results in a cache duration of zero.

Sets the duration the results can be cached. The duration is truncated to seconds. A negative value results in a cache duration of zero.

Sends an Access-Control-Max-Age header with the duration in seconds on preflight requests.

Attributes

Source:
CORS.scala

Sets the duration the results can be cached to the user agent's default. This suppresses the Access-Control-Max-Age header.

Sets the duration the results can be cached to the user agent's default. This suppresses the Access-Control-Max-Age header.

Attributes

Source:
CORS.scala

Instructs the client to not cache any preflight results.

Instructs the client to not cache any preflight results.

Sends an Access-Control-Max-Age: -1 header

Attributes

Source:
CORS.scala