home : http://deveiate.org/projects/Strelka-CORS
code : http://bitbucket.org/ged/strelka-cors
github : https://github.com/ged/strelka-cors
docs : http://deveiate.org/code/strelka-cors
This is a Strelka application plugin for describing rules for Cross-Origin Resource Sharing (CORS).
NOTE: It's still a work in progress.
By default, the plugin has paranoid defaults, and doesn't do anything. You'll need to grant access to the resources you want to share.
To grant access, you declare one or more access_control blocks which can modify responses to matching access-control requests. All the blocks which match the incoming request's URI are called with the request and response objects in the order in which they're declared:
# Allow access to all resources from any origin by default
access_control do |req, res|
res.allow_origin '*'
res.allow_methods 'GET', 'POST'
res.allow_credentials
res.allow_headers :content_type
end
These are applied in the order you declare them, with each matching block passed the request if it matches. This happens before the application gets the request, so it can do any further modification it needs to, and so it can block requests from disallowed origins/methods/etc.
There are a number of helper methods added to the request and response objects for applying and declaring access-control rules when this plugin is loaded:
HTTPResponse#allow_origin <origin>+The origin parameter specifies a URI that may access the resource by setting the Access-Control-Allow-Origin header.
access_control do |req, res|
res.allow_origin 'http://acme.com/', 'http://www.acme.com/
res.allow_origin( req.origin )
res.allow_origin # same as above
res.allow_origin '*'
end
HTTPResponse#expose_headersSpecify a whitelist of headers that browsers are allowed to access by setting the Access-Control-Expose-Headers header on responses.
response.expose_headers :content_type, 'x-custom-header'
HTTPResponse#access_control_max_ageSpecify how long the results of a preflight request can be cached by setting the Access-Control-Max-Age header.
HTTPResponse#allow_credentialsSpecify whether or not a request can be made using credentials by setting the Access-Control-Allow-Credentials header on responses.
HTTPResponse#allow_methodsSpecifies the method or methods allowed when accessing the resource by setting the Access-Control-Allow-Methods header on responses.
HTTPResponse#allow_headersSpecify the HTTP headers that can be used when making a request.
If you just want to allow simple (GET, HEAD, POST) requests to your application from any origin, you can do it like so:
require 'strelka/app'
class MyApp < Strelka::App
plugin :cors
allow_origins '*'
# The rest of your app
end
This will add the appropriate header to outgoing responses.
gem install strelka-cors
Copyright (c) 2015-2016, Michael Granger All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Neither the name of the author/s, nor the names of the project's contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
FAQs
Unknown package
We found that strelka-cors demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
A new site reviews software projects to reveal if they’re truly FOSS, making complex licensing and distribution models easy to understand.
Security News
Astral unveils pyx, a Python-native package registry in beta, designed to speed installs, enhance security, and integrate deeply with uv.
Security News
The Latio podcast explores how static and runtime reachability help teams prioritize exploitable vulnerabilities and streamline AppSec workflows.