Ring middleware for Cross-Origin Resource Sharing.
Home Page: http://github.com/r0man/ring-cors
Ring middleware for Cross-Origin Resource Sharing.
(require '[ring.middleware.cors :refer [wrap-cors]])
(def handler
(wrap-cors my-routes :access-control-allow-origin [#"http://example.com"]
:access-control-allow-methods [:get :put :post :delete]))Copyright (C) 2013-2016 r0man
Distributed under the Eclipse Public License, the same as Clojure.
I'm using ring.middleware.cors with unity3d wasm.
error:
wasm streaming compile failed: TypeError: Failed to execute 'compile' on 'WebAssembly': Incorrect response MIME type. Expected 'application/wasm'.
warning:
HTTP Response Header "Content-Type" configured incorrectly on the server for file Build/MyGame.wasm , should be "application/wasm". Startup time performance will suffer.
(def ring-middle
(-> ROUTE/my-route
RING-MIDDLEWARE-JSON/wrap-json-body
RING-MIDDLEWARE-JSON/wrap-json-response
(RING-MIDDLEWARE-DEFAULTS/wrap-defaults
RING-MIDDLEWARE-DEFAULTS/site-defaults)
(RING-MIDDLEWARE-CORS/wrap-cors
:access-control-allow-credentials "true"
:access-control-allow-origin [#".*"]
:access-control-allow-headers #{"accept"
"accept-encoding"
"accept-language"
"authorization"
"content-type"
"origin"}
;; I want to add mime-types. "content-type:... "application/wasm br gz javascript" ... etc
:access-control-allow-methods [:get :put :post :delete :options])
))
It seems that I need to set Access-Control-Allow-Credentials to true, but I couldn't find this configuration in the middleware.
deps.edn with {org.clojure/clojure {:mvn/version "1.10.1"} creates stack trace but 1.10.0 does not.
Removing (wrap-cors ... also removes the problem. Is this something to do with regex?
Exception in thread "main" java.lang.ClassCastException: clojure.pprint.proxy$java.io.Writer$IDeref$PrettyFlush$4923d848 cannot be cast to clojure.pprint.PrettyFlush
at clojure.pprint$pretty_writer$fn__8066.invoke(pretty_writer.clj:392)
at clojure.pprint.proxy$java.io.Writer$IDeref$PrettyFlush$4923d848.flush(Unknown Source)
at clojure.core$flush.invokeStatic(core.clj:3711)
at clojure.core$flush.invoke(core.clj:3705)
at clojure.core$prn.invokeStatic(core.clj:3722)
at clojure.core$prn.doInvoke(core.clj:3714)
at clojure.lang.RestFn.invoke(RestFn.java:397)
at clojure.pprint$pprint.invokeStatic(pprint_base.clj:252)
at clojure.pprint$pprint.invoke(pprint_base.clj:241)
at clojure.pprint$pprint.invokeStatic(pprint_base.clj:245)
at clojure.pprint$pprint.invoke(pprint_base.clj:241)
at clojure.lang.Var.invoke(Var.java:384)
at clojure.main$report_error$fn__6582$fn__6583.invoke(main.clj:603)
at clojure.main$report_error$fn__6582.invoke(main.clj:602)
at clojure.main$report_error.invokeStatic(main.clj:601)
at clojure.main$report_error.doInvoke(main.clj:584)
at clojure.lang.RestFn.invoke(RestFn.java:439)
at clojure.main$main.invokeStatic(main.clj:666)
at clojure.main$main.doInvoke(main.clj:616)
at clojure.lang.RestFn.applyTo(RestFn.java:137)
at clojure.lang.Var.applyTo(Var.java:705)
at clojure.main.main(main.java:40)
Remove this header from rules, because it is forbidden.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method
Hi,
Not an issue as such - I just don't know where else to ask the question - How do I tell ring-cors to allow access to all?
I currently have this
(def app
(->
(routes app-routes)
(prone/wrap-exceptions)
(handler/site)
(wrap-cors
:access-control-allow-origin #"http://localhost:10555"
:access-control-allow-methods [:get :put :post :delete])
(wrap-base-url)))
But I don't want to restrict access to "http://localhost:10555". I got errors when I used #"*" or #".*"
Any help would be appreciated.
I had to adapt this so that it will work in an ring async context. Would you like me to send a PR?
Hi,
When a request contains the 'origin' header - ring-cores sets a response map even if the original response was nil (when route not found) thus making the server return 200 status code instead of 404.
I believe it's the same issue as #5 , which I see was not merged in and is now obsolete to due code change.
Thanks
Due to some quirks of HeaderMap, if Access-Control-Allow-Methods is already present in a request, in some cases the the CORS headers are not correctly set.
See test cases in this branch and proposed fix: https://github.com/frenchy64/ring-cors/pull/1/files
I would like to only apply this middleware on a route context called "/api".
Is that possible?
An example would be awesome :)
Seriously fam, can you provide a better example of how to get this to work with a simple server? I can't get a 200 options request to return on a pre-flight of a post request in prod and you have like 3 lines on how this library is supposed to work. That is super frustrating.
See the issue here: https://stackoverflow.com/questions/58030830/clojure-cross-origin-error-totally-lost
The current condition for ring-cors to be triggered is only to check the presence of an Origin header on the request.
Some browsers like Chrome always send that header even for same domain origin requests, thus ring-cors is triggered where it shouldn't, leading to unexpected behavior.
I think it would be best to check the presence of Origin as well as a mismatch between Origin and Host instead.
I'm trying to integrate the ring-cors library into my application, and unfortunately I'm getting a compilation error.
Exception in thread "main" java.lang.RuntimeException: Unable to resolve symbol: join in this context, compiling:(ring/middleware/cors.clj:20)
Here's a gist of my code:
Compojure and other libraries that compose different handlers together expect to try handlers until the first one which returns a response map. Handlers indicate they do not handle a particular request by returning nil instead of a response map.
When wrapping a handler in ring-cors, (add-access-control request (handler request) access-control)) always returns a response map even when (handler request) is nil, this breaks the first non-nil handler logic of routing libraries.
With version 0.1.1, my app included this:
(wrap-cors :access-control-allow-origin #"http://(.*\.)?likestream.net(:\d*)"
:access-control-allow-headers ["X-API-Version" "Accept" "Content-Type"]
:access-control-allow-methods ["GET" "PUT" "POST" "DELETE"]
:access-control-allow-credentials "true")
When I switched to version 0.1.2 (no other change to my code), then the CORS headers are not included in the response to the OPTIONS request.
FYI, my request headers look like this:
Accept:*/*
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:x-api-version, accept
Access-Control-Request-Method:GET
Cache-Control:no-cache
Connection:keep-alive
Cookie:ring-session=fd674f7e-15ad-4aab-bae4-268fcc251b4e
Host:spare03.likestream.net:8080
Origin:http://dcjdev.likestream.net:8090
Pragma:no-cache
Referer:http://dcjdev.likestream.net:8090/
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.18 Safari/537.36
Is this a bug in my code, or has something changed in ring-cors?
If a request isn't allowed? then nil is returned as a response. There should be something better (although not sure what response exactly, perhaps just a 403)
ring-cors depends on ring-core for the sole method get-header.
It would be nice to drop this dependency and simply copy the code in ring-cors for 2 reasons:
ring-corering-core ships with lots of irrelevant transitive dependenciesWhat do you think? I can create a PR if needed.
As far as I can tell, this library doesn't support the Access-Control-Allow-Credentials header (it doesn't support Access-Control-Expose-Headers and Access-Control-Max-Age either).
Is this a design decision, or are you open to contributions to add these?
When I post an invalid body to the POST endpoint, the response is missing cors headers. But, when I set a valid body {item: true} the response does include cors headers. How do I get the cors headers to be included when there is a bad request? Are CORS headers only added when the request is allowed?
(defn- bad-request-handler
"Handles bad requests."
[f]
(f
(ring/response {:status "bad request"})))
(def app
(api
{:exceptions {:handlers
{::ex/request-validation (bad-request-handler response/bad-request)}}}
(POST "/" [] :body [item {(schema/required-key :item) schema/Bool}]
:middleware [#(wrap-cors % :access-control-allow-origin [#".*"]
:access-control-allow-methods [:post])]
:responses {200 {:description "ok"}
400 {:description "bad request"}} item)))
Hello,
I am using compojure and I wanted to allow origin from anywhere for the development process of my app so i added ring-cors like the example shows but if i look at the response headers on my chrome developer tools, i do not see the header set.
Does this middleware still works or is it abandoned?
Thanks for your time
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.