wai-cors: CORS for WAI
This package provides an implemenation of Cross-Origin resource sharing (CORS) for Wai that aims to be compliant with http://www.w3.org/TR/cors.
[Skip to Readme]
Downloads
- wai-cors-0.2.7.tar.gz [browse] (Cabal source package)
- Package description (as included in the package)
| Versions [RSS] | 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.2, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7 |
|---|---|
| Change log | CHANGELOG.md |
| Dependencies | attoparsec (>=0.10.4.0), base (>=4.8 && <5.0), base-unicode-symbols (>=0.2.2.3), bytestring (>=0.10.0.2), case-insensitive (>=1.0.0.1), http-types (>=0.8.0), mtl (>=2.2), transformers (>=0.4), wai (>=3.0) [details] |
| Tested with | ghc ==7.10.3, ghc ==8.0.2, ghc ==8.2.2, ghc ==8.4.4, ghc ==8.6.5 |
| License | MIT |
| Copyright | (c) 2015-2019 Lars Kuhtz <lakuhtz@gmail.com>, (c) 2014 AlephCloud Systems, Inc. |
| Author | Lars Kuhtz <lakuhtz@gmail.com> |
| Maintainer | Lars Kuhtz <lakuhtz@gmail.com> |
| Category | HTTP, Network, Web, Wai |
| Home page | https://github.com/larskuhtz/wai-cors |
| Bug tracker | https://github.com/larskuhtz/wai-cors/issues |
| Source repo | head: git clone https://github.com/larskuhtz/wai-cors -b master this: git clone https://github.com/larskuhtz/wai-cors(tag 0.2.7) |
| Uploaded | by larsk at 2019-06-06T07:15:24Z |
| Distributions | Arch:0.2.7, Debian:0.2.7, Fedora:0.2.7, LTSHaskell:0.2.7, NixOS:0.2.7, Stackage:0.2.7, openSUSE:0.2.7 |
| Reverse Dependencies | 13 direct, 5 indirect [details] |
| Downloads | 22894 total (268 in the last 30 days) |
| Rating | 2.0 (votes: 1) [estimated by Bayesian average] |
| Your Rating | |
| Status | Docs available [build log] Last success reported on 2019-06-06 [all 1 reports] |
Readme for wai-cors-0.2.7
[back to package description]
Cross-Origin Resource Sharing (CORS) For Wai
This package provides a Haskell implementation of CORS for WAI that aims to be compliant with [http://www.w3.org/TR/cors](http://www.w3.org/TR/cors).
Note On Security
This implementation doesn't include any server side enforcement. By complying
with the CORS standard it enables the client (i.e. the web browser) to enforce
the CORS policy. For application authors it is strongly recommended to take
into account the security considerations in section 6.3 of the
CORS standard. In particular the application should
check that the value of the Origin header matches the expectations.
Websocket connections don't support CORS and are ignored by the CORS implementation in this package. However Websocket requests usually (at least for some browsers) include the @Origin@ header. Applications are expected to check the value of this header and respond with an error in case that its content doesn't match the expectations.
Installation
Assuming the availability of recent versions of GHC and cabal this package is installed via
cabal update
cabal install wai-cors
Usage
The function 'simpleCors' enables support of simple cross-origin requests. More advanced CORS policies can be enabled by passing a 'CorsResourcePolicy' to the 'cors' middleware.
The file examples/Scotty.hs shows how to support simple cross-origin requests (as
defined in [http://www.w3.org/TR/cors](http://www.w3.org/TR/cors)) in a
scotty application.
{-# LANGUAGE OverloadedStrings #-}
module Main
( main
) where
import Network.Wai.Middleware.Cors
import Web.Scotty
main :: IO ()
main = scotty 8080 $ do
middleware simpleCors
matchAny "/" $ text "Success"
The result of following curl command will include the HTTP response
header Access-Control-Allow-Origin: *.
curl -i http://127.0.0.1:8080 -H 'Origin: 127.0.0.1' -v
Documentation for more general usage can be found in the module Network.Wai.Middleware.Cors.
Test
In order to run the automated test suite PhantomJS (at least version 2.0) must be installed in the system.
cabal install --only-dependencies --enable-tests
cabal test --show-details=streaming
If PhantomJS is not available the tests can be exectued manually in a modern web-browser as follows.
Start the server application:
cd test
ghc -main-is Server Server.hs
./Server
Open the file test/index.html in a modern web-browser. On page load a Javascript
script is exectued that runs the test suite and prints the result on the page.