Bundled CORS-support #236
Comments
|
Just putting in my 2 cents: it would be useful to have |
|
I needed CORS to get my local dev setup with a SPA and backend API working. Ended up writing this interceptor that uses ring-cors. (s/def ::allow-origin string?)
(s/def ::allow-methods (s/coll-of keyword? :kind set?))
(s/def ::allow-credentials boolean?)
(s/def ::allow-headers (s/coll-of string? :kind set?))
(s/def ::expose-headers (s/coll-of string? :kind set?))
(s/def ::max-age nat-int?)
(s/def ::access-control
(s/keys :opt-un [::allow-origin
::allow-methods
::allow-credentials
::allow-headers
::expose-headers
::max-age]))
(s/def ::cors-interceptor
(s/keys :opt-un [::access-control]))
(def cors-interceptor
{:name ::cors
:spec ::access-control
:compile (fn [{:keys [access-control]} _]
(when access-control
(let [access-control (cors/normalize-config (mapcat identity access-control))]
{:enter (fn cors-interceptor-enter
[ctx]
(let [request (:request ctx)]
(if (or (and (cors/preflight? request)
(cors/allow-request? request access-control)))
(let [resp (cors/add-access-control
request
access-control
cors/preflight-complete-response)]
(assoc ctx
:response resp
:queue nil))
ctx)))
:leave (fn cors-interceptor-leave
[ctx]
(let [request (:request ctx)]
(if (and (cors/origin request)
(cors/allow-request? request access-control))
(if-let [response (:response ctx)]
(assoc ctx
:response
(cors/add-access-control
request
access-control
response)))
ctx)))})))})Happy to submit a PR if interested. |
|
@kennyjwilli, cleaned up your example a little bit: (def cors-interceptor
{:name ::cors
:spec ::access-control
:compile (fn [{:keys [access-control]} _]
(when access-control
(let [access-control (cors/normalize-config (mapcat identity access-control))]
{:enter (fn cors-interceptor-enter
[{:keys [request] :as ctx}]
(if (and (cors/preflight? request)
(cors/allow-request? request access-control))
(let [resp (cors/add-access-control
request
access-control
cors/preflight-complete-response)]
(assoc ctx
:response resp
:queue nil))
ctx))
:leave (fn cors-interceptor-leave
[{:keys [request response] :as ctx}]
(cond-> ctx
(and (cors/origin request)
(cors/allow-request? request access-control)
response)
(assoc :response
(cors/add-access-control
request
access-control
response))))})))}) |
|
What's the status of this? I like the idea of |
|
So, will this support be included into It seems like the casing of the Since such (presumed) bugs are still present in |
|
Would really like this to be a default option. |
|
What are the current limitations with the Edit: I guess the missing piece would be adding the headers to the non-preflight requests. |
|
I have no answer, but this I am an interested onlooker! Right now our CSRF is managed with Ring handlers, but it would be cool if it were part of Reitit, as per the code you shared.
|
Currently, a third party mw/interceptor is needed for CORS. There should be a fast default mw & interceptor for this. Those could be configured either via route data or via mw/interceptor options. Example data format from #143 (comment):
{:access-control {:allow-origin "http://foo.example" :allow-methods #{:get :post :put} :allow-credentials true :allow-headers #{"X-PINGOTHER" "Content-Type"} :expose-headers #{"X-My-Custom-Header" "X-Another-Custom-Header"} :max-age 86400}}Some prior work:
Related issues:
ring-cors#143The text was updated successfully, but these errors were encountered: