New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bundled CORS-support #236
Comments
Just putting in my 2 cents: it would be useful to have |
I needed CORS to get my local dev setup with a SPA and backend API working. Ended up writing this interceptor that uses ring-cors. (s/def ::allow-origin string?)
(s/def ::allow-methods (s/coll-of keyword? :kind set?))
(s/def ::allow-credentials boolean?)
(s/def ::allow-headers (s/coll-of string? :kind set?))
(s/def ::expose-headers (s/coll-of string? :kind set?))
(s/def ::max-age nat-int?)
(s/def ::access-control
(s/keys :opt-un [::allow-origin
::allow-methods
::allow-credentials
::allow-headers
::expose-headers
::max-age]))
(s/def ::cors-interceptor
(s/keys :opt-un [::access-control]))
(def cors-interceptor
{:name ::cors
:spec ::access-control
:compile (fn [{:keys [access-control]} _]
(when access-control
(let [access-control (cors/normalize-config (mapcat identity access-control))]
{:enter (fn cors-interceptor-enter
[ctx]
(let [request (:request ctx)]
(if (or (and (cors/preflight? request)
(cors/allow-request? request access-control)))
(let [resp (cors/add-access-control
request
access-control
cors/preflight-complete-response)]
(assoc ctx
:response resp
:queue nil))
ctx)))
:leave (fn cors-interceptor-leave
[ctx]
(let [request (:request ctx)]
(if (and (cors/origin request)
(cors/allow-request? request access-control))
(if-let [response (:response ctx)]
(assoc ctx
:response
(cors/add-access-control
request
access-control
response)))
ctx)))})))}) Happy to submit a PR if interested. |
@kennyjwilli, cleaned up your example a little bit: (def cors-interceptor
{:name ::cors
:spec ::access-control
:compile (fn [{:keys [access-control]} _]
(when access-control
(let [access-control (cors/normalize-config (mapcat identity access-control))]
{:enter (fn cors-interceptor-enter
[{:keys [request] :as ctx}]
(if (and (cors/preflight? request)
(cors/allow-request? request access-control))
(let [resp (cors/add-access-control
request
access-control
cors/preflight-complete-response)]
(assoc ctx
:response resp
:queue nil))
ctx))
:leave (fn cors-interceptor-leave
[{:keys [request response] :as ctx}]
(cond-> ctx
(and (cors/origin request)
(cors/allow-request? request access-control)
response)
(assoc :response
(cors/add-access-control
request
access-control
response))))})))}) |
What's the status of this? I like the idea of |
So, will this support be included into It seems like the casing of the Since such (presumed) bugs are still present in |
Would really like this to be a default option. |
What are the current limitations with the Edit: I guess the missing piece would be adding the headers to the non-preflight requests. |
I have no answer, but this I am an interested onlooker! Right now our CSRF is managed with Ring handlers, but it would be cool if it were part of Reitit, as per the code you shared.
|
Currently, a third party mw/interceptor is needed for CORS. There should be a fast default mw & interceptor for this. Those could be configured either via route data or via mw/interceptor options. Example data format from #143 (comment):
Some prior work:
Related issues:
ring-cors
#143The text was updated successfully, but these errors were encountered: