Really allow everything
This commit is contained in:
parent
1b6f1f1bf6
commit
93e3b13ccc
3 changed files with 74 additions and 17 deletions
|
@ -1,6 +1,6 @@
|
||||||
(defproject fuck-cors "0.1.7"
|
(defproject fuck-cors "0.1.8"
|
||||||
:description "Fuck CORS and open all to everyone"
|
:description "Fuck CORS and open your API to everyone"
|
||||||
:url "http://github.com/yogsototh/fuck-cors"
|
:url "http://github.com/yogsototh/fuck-cors"
|
||||||
:license {:name "MIT"
|
:license {:name "MIT"
|
||||||
:url "http://opensource.org/licences/MIT"}
|
:url "http://opensource.org/licences/MIT"}
|
||||||
:dependencies [[org.clojure/clojure "1.9.0"]])
|
:dependencies [[org.clojure/clojure "1.11.4"]])
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
(ns fuck-cors.core)
|
(ns fuck-cors.core
|
||||||
|
(:require [clojure.string :as string]))
|
||||||
|
|
||||||
(defn- host-from-req
|
(defn- host-from-req
|
||||||
[request]
|
[request]
|
||||||
|
@ -10,29 +11,30 @@
|
||||||
[request header-name]
|
[request header-name]
|
||||||
(let [rawref (get-in request [:headers header-name])]
|
(let [rawref (get-in request [:headers header-name])]
|
||||||
(if rawref
|
(if rawref
|
||||||
(clojure.string/replace rawref #"(http://[^/]*).*$" "$1")
|
(string/replace rawref #"(http://[^/]*).*$" "$1")
|
||||||
nil)))
|
nil)))
|
||||||
|
|
||||||
(defn wrap-open-cors
|
(defn wrap-open-cors
|
||||||
"Open your Origin Policy to Everybody, no limit"
|
"Open your Origin Policy to Everybody, no limit"
|
||||||
[handler]
|
[handler]
|
||||||
(fn [request]
|
(fn [request]
|
||||||
(let [origin (get-header request "origin")
|
(let [origin (get-header request "origin")
|
||||||
referer (get-header request "referer")
|
referer (get-header request "referer")
|
||||||
host (host-from-req request)
|
host (host-from-req request)
|
||||||
origins (if origin
|
origins (if origin
|
||||||
origin
|
origin
|
||||||
(if referer
|
(if referer
|
||||||
referer
|
referer
|
||||||
host))
|
host))
|
||||||
headers {"Access-Control-Allow-Origin" origins
|
{:keys [headers] :as original-response} (handler request)
|
||||||
"Access-Control-Allow-Headers" "Origin, X-Requested-With, Content-Type, Accept, Cache-Control, Accept-Language, Accept-Encoding, Authorization"
|
resp-cors-headers
|
||||||
"Access-Control-Allow-Methods" "HEAD, GET, POST, PUT, DELETE, OPTIONS, TRACE"
|
{"Access-Control-Allow-Origin" origins
|
||||||
"Access-Control-Allow-Credentials" "true"
|
"Access-Control-Allow-Headers" (string/join "," (keys headers))
|
||||||
"Access-Control-Expose-Headers" "content-length"
|
"Access-Control-Allow-Methods" "HEAD, GET, PATCH, POST, CONNECT, PUT, DELETE, OPTIONS, TRACE"
|
||||||
"Vary" "Accept-Encoding, Origin, Accept-Language"}]
|
"Access-Control-Allow-Credentials" "true"
|
||||||
(-> (handler request)
|
"Access-Control-Expose-Headers" (string/join "," (keys headers))}]
|
||||||
(update-in [:headers] #(into % headers))))))
|
(-> original-response
|
||||||
|
(update-in [:headers] #(into % resp-cors-headers))))))
|
||||||
|
|
||||||
(defn wrap-preflight
|
(defn wrap-preflight
|
||||||
"Add a preflight answer. Will break any OPTIONS handler, beware.
|
"Add a preflight answer. Will break any OPTIONS handler, beware.
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
(ns fuck-cors.core-test
|
(ns fuck-cors.core-test
|
||||||
(:require [clojure.test :refer :all]
|
(:require [clojure.test :refer [deftest testing is]]
|
||||||
[fuck-cors.core :refer :all]))
|
[fuck-cors.core :refer [wrap-open-cors]]
|
||||||
|
[clojure.string :as string]))
|
||||||
|
|
||||||
(def host-from-req (ns-resolve 'fuck-cors.core 'host-from-req))
|
(def host-from-req (ns-resolve 'fuck-cors.core 'host-from-req))
|
||||||
|
|
||||||
|
@ -10,3 +11,57 @@
|
||||||
:scheme :http}]
|
:scheme :http}]
|
||||||
(is (= "http://yannesposito.com"
|
(is (= "http://yannesposito.com"
|
||||||
(host-from-req request))))))
|
(host-from-req request))))))
|
||||||
|
|
||||||
|
(deftest wrap-open-cors-test
|
||||||
|
(testing "Can use any header"
|
||||||
|
(let [request-1
|
||||||
|
{:server-port 443
|
||||||
|
:server-name "yannesposito.com"
|
||||||
|
:remote-addr "127.0.0.1"
|
||||||
|
:uri "https://yannesposito.com/about/"
|
||||||
|
:scheme :https
|
||||||
|
:request-method :post
|
||||||
|
:headers {"host" "yannesposito.com"
|
||||||
|
"authorization" "Bearer 1337"
|
||||||
|
"Content-Type" "application/json; utf-8"}
|
||||||
|
:body "{\"foo\":\"bar\"}"}
|
||||||
|
|
||||||
|
handler
|
||||||
|
(fn [_]
|
||||||
|
{:status 200
|
||||||
|
:headers {"Origin" "https://yannesposito.com"
|
||||||
|
"Content-Type" "application/json; utf-8"
|
||||||
|
"X-SPECIFIC-HEADER" "42"}
|
||||||
|
:body "{\"foo\":\"bar\"}"})
|
||||||
|
|
||||||
|
wrapped (wrap-open-cors handler)
|
||||||
|
response-1 (wrapped request-1)
|
||||||
|
response-allowed-headers (some-> (get-in response-1 [:headers "Access-Control-Allow-Headers"])
|
||||||
|
(string/split #",")
|
||||||
|
(set))
|
||||||
|
response-expose-headers (some-> (get-in response-1 [:headers "Access-Control-Allow-Headers"])
|
||||||
|
(string/split #",")
|
||||||
|
(set))]
|
||||||
|
|
||||||
|
(is (contains? response-allowed-headers "Origin")
|
||||||
|
"Should contain the Origin header")
|
||||||
|
(is (contains? response-allowed-headers "X-SPECIFIC-HEADER")
|
||||||
|
"Can contain any strange custom made headers returned by the response")
|
||||||
|
|
||||||
|
(is (contains? response-expose-headers "Origin")
|
||||||
|
"Should contain the Origin header")
|
||||||
|
(is (contains? response-expose-headers "X-SPECIFIC-HEADER")
|
||||||
|
"Can contain any strange custom made headers returned by the response")
|
||||||
|
|
||||||
|
;; full response for example purpose
|
||||||
|
(is (= {:status 200
|
||||||
|
:headers {"Origin" "https://yannesposito.com"
|
||||||
|
"Content-Type" "application/json; utf-8"
|
||||||
|
"X-SPECIFIC-HEADER" "42"
|
||||||
|
"Access-Control-Allow-Origin" "https://yannesposito.com"
|
||||||
|
"Access-Control-Allow-Headers" "Origin,Content-Type,X-SPECIFIC-HEADER"
|
||||||
|
"Access-Control-Allow-Methods" "HEAD, GET, PATCH, POST, CONNECT, PUT, DELETE, OPTIONS, TRACE"
|
||||||
|
"Access-Control-Allow-Credentials" "true"
|
||||||
|
"Access-Control-Expose-Headers" "Origin,Content-Type,X-SPECIFIC-HEADER"}
|
||||||
|
:body "{\"foo\":\"bar\"}"}
|
||||||
|
response-1)))))
|
||||||
|
|
Loading…
Reference in a new issue