Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Experiment in handing CORS preflight for TiddlyWeb
branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.


A plugin for TiddlyWeb to support CORS pre-flight checks.

This is an experiment, with limited functionality. As test
cases increase, functionality will increase.

To use add 'tiddlywebplugins.cors' to 'system_plugins' in

There are a few optional config settings:

If 'cors.match_origin' is True, then the value of the Origin
header will be the value of the Access-Control-Allow-Origin header,
on simple requests. On non-simple request, it always matches. If False
the value is '*' (on simple requests).

If 'cors.allow_creds' is True, then the
Access-Control-Allow-Credentials header will be sent with a value
of 'true', otherwise it will not be sent.

If 'cors.exposed_headers' is set, its should be a list of strings
representing header names which are appended to the default
Access-Control-Expose-Headers: ETag. This same list is used to set
the default of Access-Control-Allow-Headers.

If 'cors.enable_non_simple' is True, preflight OPTIONS requests are
handled. This defaults to False to avoid accidental exposure.

For authenticated cross-domain PUTs of resources the following config
appears to be required:

    'cors.enable_non_simple': True,
    'cors.allow_creds': True,
    'cors.match_origin': True,

The match_origin setting is required for the OPTIONS preflight requests
to be handled effectively.


* Blacklist/Whitelist processing of Access-Control-Request-Headers.
* Auditing with someone else to confirm that this stuff is "correct".
* Refactoring of the two middlewares. There's a fair bit of overlap.
  It could become just one that operates on both sides of the internal
  application, but I find that can be confusing.

Copyright 2012, Chris Dent <>

Something went wrong with that request. Please try again.