@ampproject/toolbox-cors - npm Package Compare versions

Comparing version 1.0.0-beta.7 to 1.0.0-beta.8

lib/cors.js

@@ -25,2 +25,3 @@ /**
 const DEFAULT_OPTIONS = {
+  email: false,
   allowCredentials: true,
@@ -40,2 +41,3 @@ enableAmpRedirectTo: true,
  * @param {boolean} [options.verbose=false] verbose logging output
+ * @param {boolean} [options.email=false] add additional CORS headers for AMP for Email
  * @param {boolean} [options.verifyOrigin=true] verify origins to match official AMP caches.
@@ -48,2 +50,6 @@ * @param {Caches} [caches=new Caches()]
   log.verbose(options.verbose);
+  if (options.email === true) {
+    // email origins cannot be verified
+    options.verifyOrigin = false;
+  }
   return async (request, response, next) => {
@@ -84,5 +90,11 @@ // Get source origin from query
     response.setHeader('Access-Control-Allow-Origin', originHeaders.origin || sourceOrigin);
+    const headersToExpose = [];
     if (options.enableAmpRedirectTo) {
-      response.setHeader('Access-Control-Expose-Headers', 'AMP-Redirect-To');
+      headersToExpose.push('AMP-Redirect-To');
     }
+    if (options.email) {
+      headersToExpose.push('AMP-Access-Control-Allow-Source-Origin');
+      response.setHeader('AMP-Access-Control-Allow-Source-Origin', sourceOrigin);
+    }
+    response.setHeader('Access-Control-Expose-Headers', headersToExpose);
     if (options.allowCredentials) {
@@ -89,0 +101,0 @@ response.setHeader('Access-Control-Allow-Credentials', 'true');

package.json

 {
   "name": "@ampproject/toolbox-cors",
-  "version": "1.0.0-beta.7",
+  "version": "1.0.0-beta.8",
   "description": "An express middleware implementing the AMP CORS protocol",
@@ -21,5 +21,5 @@ "main": "index.js",
   "dependencies": {
-    "@ampproject/toolbox-cache-list": "^1.0.0-beta.7",
-    "@ampproject/toolbox-cache-url": "^1.0.0-beta.7",
-    "@ampproject/toolbox-core": "^1.0.0-beta.7"
+    "@ampproject/toolbox-cache-list": "^1.0.0-beta.8",
+    "@ampproject/toolbox-cache-url": "^1.0.0-beta.8",
+    "@ampproject/toolbox-core": "^1.0.0-beta.8"
   },
@@ -30,3 +30,3 @@ "bugs": {
   "homepage": "https://github.com/ampproject/amp-toolbox/tree/master/packages/cors",
-  "gitHead": "386bd4636da2dfd92569a6f0c0ede7bd2b49580c"
+  "gitHead": "6f291b4f9b0a00a24e3af763c918a2b70d47bb5e"
 }

README.md

@@ -52,3 +52,3 @@ # AMP CORS Middleware
 By default, the AMP CORS middleware will only allow requests from AMP Caches listed on
-https://cdn.ampproject.org/caches.json (with the addition of `bing-amp.com`). All other
+https://cdn.ampproject.org/caches.json. All other
 origins will receive a `403` response. To allow requests from all origins, disable this
@@ -96,2 +96,15 @@ via the `verifyOrigin` option:
 
+
+### Email Mode
+
+Gmail has [specific AMP CORS requirements](https://developers.google.com/gmail/ampemail/security-requirements). You can enable the Email CORS mode via the `email option`: 
+
+```
+app.use(ampCors({
+  email: true
+}));
+```
+
+**Note:** the default AMP CORS mode for websites is compatible with email CORS mode (only origin verification is no longer supported). If you want to support both, it's safe to enable email mode by default.
+
 ## Example
@@ -98,0 +111,0 @@

No alert changes

Improved metrics

Total package byte prevSize

22373

increased by4.08%

Lines of code

162

increased by8%

Number of lines in readme file

141

increased by10.16%

Dependency changes

• Updated@ampproject/toolbox-cache-list@^1.0.0-beta.8

• Updated@ampproject/toolbox-cache-url@^1.0.0-beta.8

• Updated@ampproject/toolbox-core@^1.0.0-beta.8