Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Feb 21, 2015
  1. Add support for :vary option on resource

    Since we offer an :if option on a resource, it makes sense that we
    might want to add additional headers to vary.
  2. Add HEAD and PATCH methods to :any

Commits on Feb 20, 2015
  1. Derek Myers
Commits on Feb 10, 2015
  1. Diego Algorta

    Fixes bug where Vary header was omitted in certain occasions

    oboxodo authored
    As explained in
    responses should ALWAYS include `Vary: Origin` if there's a chance for
    the response to differ depending on the Origin header in the request.
    This covers the case for when 2 requests for the same resource, one
    including the Origin header and the other not including it, should have
    different responses. If the Vary header doesn't mention Origin, then
    intermediary caches (like any CDN) will cache the response (including
    its headers) and will use it regardless of the request including the
    Origin header or not.
    This is to play nice with caches. Otherwise rack-cors can't be used with
    caches in certain situations.
Commits on Dec 27, 2014
  1. Update gem version

Commits on Oct 20, 2014
  1. Store CORS result in environment

    Store the CORS result in env['X_Rack_CORS'] so it can be accessible
    by other parts of the Rack stack
    Fixes #52
Commits on Oct 19, 2014
  1. Add support for NON-HTTP/HTTPS URIs

    For example, `origins ''` will match:
      - content://
    Fixes #17
  2. Renamed debug header X-Rack-CORS

  3. Fix multiple origin config logic

    Accidentally removed logic that supports multiple configurations
    with the same origin
Commits on Sep 23, 2014
  1. Merge pull request #54 from humanpractice/preserve_file_origin

    Allow both "file://" and "null" origins when `origin "file://"` is configured
  2. Rhett Sutphin

    Allow both "file://" and "null" origins when `origin "file://"` is co…

    rsutphin authored
    Previously, the configuration `origin "file://"` would effectively only permit
    `Origin: null` requests. Fixes #53.
Commits on Sep 11, 2014
Commits on Sep 7, 2014
  1. Return debug header

    Returns a X-Rack-Cors header when debug mode is enabled to give more
    information about how the middleware processed the request
  2. Updated examples and cors tests

    - Added more tests
    - Updated Rails examples apps to handle more HTTP methods
Commits on Jul 18, 2014
  1. Tim Ruffles

    warn on any for methods

    timruffles authored
Commits on May 7, 2014
  1. Added better support for loggers

Commits on Feb 28, 2014
  1. Jacob Gyllenstierna
Commits on Nov 12, 2013
  1. Update gem version

Commits on Jul 23, 2013
  1. Remove jeweler dependency

Commits on Jul 14, 2013
  1. Support non-preflight OPTIONS requests

    An alternative fix to #28
Commits on Jun 9, 2013
Commits on Apr 11, 2013
  1. Joel Van Horn
Commits on Dec 9, 2012
  1. Merge pull request #15 from dwbutler/master

    Check for block_given? in initialization
  2. Riley Martinez-Lynch

    Support "file://" as configurable origin

    teleological authored committed
  3. Riley Martinez-Lynch

    Map 'file://' back to 'null' in response header

    teleological authored committed
Commits on Dec 3, 2012
  1. David Butler
Commits on Nov 7, 2012
  1. Adam Bozanich
Commits on Nov 5, 2012
  1. Adam Bozanich

    runtime origin whitelist support

    boz authored
Commits on Jun 5, 2012
  1. Adding "Vary: Origin" to response header

    Marcelo Manzan authored
Commits on Sep 5, 2011
  1. Alexander Mankuta

    Don't expose allowed origins on resources that support credentials

    cheba authored
    According to the latest CORS spec [1] preflight response should set
    Access-Control-Allow-Origin header to '*' only if resource doesn't support
    credentials (Section "5.2 Preflight request" [2], step 7).
Commits on Jun 4, 2011
  1. code clean up

Something went wrong with that request. Please try again.