Really allow everything

project.clj

@@ -1,6 +1,6 @@
-(defproject fuck-cors "0.1.7"
+(defproject fuck-cors "0.1.8"
-  :description "Fuck CORS and open all to everyone"
+  :description "Fuck CORS and open your API to everyone"
   :url "http://github.com/yogsototh/fuck-cors"
   :license {:name "MIT"
             :url "http://opensource.org/licences/MIT"}
-  :dependencies [[org.clojure/clojure "1.9.0"]])
+  :dependencies [[org.clojure/clojure "1.11.4"]])

src/fuck_cors/core.clj

@@ -1,4 +1,5 @@
-(ns fuck-cors.core)
+(ns fuck-cors.core
+  (:require [clojure.string :as string]))
 
 (defn- host-from-req
   [request]
@@ -10,7 +11,7 @@
   [request header-name]
   (let [rawref (get-in request [:headers header-name])]
     (if rawref
-        (clojure.string/replace rawref #"(http://[^/]*).*$" "$1")
+        (string/replace rawref #"(http://[^/]*).*$" "$1")
         nil)))
 
 (defn wrap-open-cors
@@ -25,14 +26,15 @@
                     (if referer
                       referer
                       host))
-          headers {"Access-Control-Allow-Origin" origins
+          {:keys [headers] :as original-response} (handler request)
-                   "Access-Control-Allow-Headers" "Origin, X-Requested-With, Content-Type, Accept, Cache-Control, Accept-Language, Accept-Encoding, Authorization"
+          resp-cors-headers
-                   "Access-Control-Allow-Methods" "HEAD, GET, POST, PUT, DELETE, OPTIONS, TRACE"
+          {"Access-Control-Allow-Origin" origins
+           "Access-Control-Allow-Headers" (string/join "," (keys headers))
+           "Access-Control-Allow-Methods" "HEAD, GET, PATCH, POST, CONNECT, PUT, DELETE, OPTIONS, TRACE"
            "Access-Control-Allow-Credentials" "true"
-                   "Access-Control-Expose-Headers" "content-length"
+           "Access-Control-Expose-Headers" (string/join "," (keys headers))}]
-                   "Vary" "Accept-Encoding, Origin, Accept-Language"}]
+      (-> original-response
-      (-> (handler request)
+          (update-in [:headers] #(into % resp-cors-headers))))))
-          (update-in [:headers] #(into % headers))))))
 
 (defn wrap-preflight
   "Add a preflight answer. Will break any OPTIONS handler, beware.

test/fuck_cors/core_test.clj

@@ -1,6 +1,7 @@
 (ns fuck-cors.core-test
-  (:require [clojure.test :refer :all]
+  (:require [clojure.test :refer [deftest testing is]]
-            [fuck-cors.core :refer :all]))
+            [fuck-cors.core :refer [wrap-open-cors]]
+            [clojure.string :as string]))
 
 (def host-from-req (ns-resolve 'fuck-cors.core 'host-from-req))
 
@@ -10,3 +11,57 @@
                    :scheme :http}]
       (is (= "http://yannesposito.com"
              (host-from-req request))))))
+
+(deftest wrap-open-cors-test
+  (testing "Can use any header"
+    (let [request-1
+          {:server-port 443
+           :server-name "yannesposito.com"
+           :remote-addr "127.0.0.1"
+           :uri "https://yannesposito.com/about/"
+           :scheme :https
+           :request-method :post
+           :headers {"host" "yannesposito.com"
+                     "authorization" "Bearer 1337"
+                     "Content-Type" "application/json; utf-8"}
+           :body "{\"foo\":\"bar\"}"}
+
+          handler
+          (fn [_]
+            {:status 200
+             :headers {"Origin" "https://yannesposito.com"
+                       "Content-Type" "application/json; utf-8"
+                       "X-SPECIFIC-HEADER" "42"}
+             :body "{\"foo\":\"bar\"}"})
+
+          wrapped (wrap-open-cors handler)
+          response-1 (wrapped request-1)
+          response-allowed-headers (some-> (get-in response-1 [:headers "Access-Control-Allow-Headers"])
+                                           (string/split #",")
+                                           (set))
+          response-expose-headers (some-> (get-in response-1 [:headers "Access-Control-Allow-Headers"])
+                                           (string/split #",")
+                                           (set))]
+
+      (is (contains? response-allowed-headers "Origin")
+          "Should contain the Origin header")
+      (is (contains? response-allowed-headers "X-SPECIFIC-HEADER")
+          "Can contain any strange custom made headers returned by the response")
+
+      (is (contains? response-expose-headers "Origin")
+          "Should contain the Origin header")
+      (is (contains? response-expose-headers "X-SPECIFIC-HEADER")
+          "Can contain any strange custom made headers returned by the response")
+
+      ;; full response for example purpose
+      (is (= {:status 200
+              :headers {"Origin" "https://yannesposito.com"
+                        "Content-Type" "application/json; utf-8"
+                        "X-SPECIFIC-HEADER" "42"
+                        "Access-Control-Allow-Origin" "https://yannesposito.com"
+                        "Access-Control-Allow-Headers" "Origin,Content-Type,X-SPECIFIC-HEADER"
+                        "Access-Control-Allow-Methods" "HEAD, GET, PATCH, POST, CONNECT, PUT, DELETE, OPTIONS, TRACE"
+                        "Access-Control-Allow-Credentials" "true"
+                        "Access-Control-Expose-Headers" "Origin,Content-Type,X-SPECIFIC-HEADER"}
+              :body "{\"foo\":\"bar\"}"}
+             response-1)))))