Plug-based swiss-army knife for CORS requests.

Corsica provides facilities for dealing with CORS requests and responses. It provides:

• low-level functions that let you decide when and where to deal with CORS requests and CORS response headers;
• a plug that handles CORS requests and responds to preflight requests;
• a router that can be used in your modules in order to turn them into CORS handlers which provide fine control over dealing with CORS requests.

How it works

Corsica is compliant with the W3C CORS specification. As per this specification, Corsica doesn’t put any CORS response headers in a connection that holds an invalid CORS request. To know what “invalid” CORS request means, have a look at the “Validity of CORS requests” section below.

When some options that are not mandatory and have no default value (such :max_age) are not passed to Corsica (in one of the available ways to pass options to it), the relative header will often not be sent at all. This is compliant with the specification and at the same time it reduces the size of the response, even if just by a handful of bytes.

The following is a list of all the CORS response headers supported by Corsica:

• Access-Control-Allow-Origin
• Access-Control-Allow-Methods
• Access-Control-Allow-Headers
• Access-Control-Allow-Credentials
• Access-Control-Expose-Headers
• Access-Control-Max-Age

Using Corsica as a plug

When Corsica is used as a plug, it intercepts all requests; it only sets a bunch of CORS headers for regular CORS requests, but it responds (with a 200 OK and the appropriate headers) to preflight requests.

If you want to use Corsica as a plug, be sure to plug it in your plug pipeline before any router: routers like Plug.Router (or Phoenix.Router) respond to HTTP verbs as well as request urls, so if Corsica is plugged after a router then preflight requests (which are OPTIONS requests) will often result in 404 errors since no route responds to them.

defmodule MyApp.Endpoint do
  plug Head
  plug Corsica, max_age: 600, origins: "*", expose_headers: ~w(X-Foo)
  plug MyApp.Router
end

Using Corsica as a router generator

When Corsica is used as a plug, it doesn’t provide control over which urls are CORS-enabled or with which options. In order to do that, you can use Corsica.Router. See the documentation for Corsica.Router for more information.

Origins

Allowed origins can be specified by passing the :origins options either when using a Corsica-based router or when plugging Corsica in a plug pipeline.

:origins can be a single value or a list of values. "*" can only appear as a single value. The default value is "*". The origin of a request (specified by the "origin" request header) will be considered a valid origin if it “matches” at least one of the origins specified in :origins. What “matches” means depends on the type of origin. Origins can be:

• strings - the actual origin and the allowed origin have to be identical
• regexes - the actual origin has to match the allowed regex (as per Regex.match?/2)
• {module, function} tuples - module.function is called with the actual origin as its only argument; if it returns true the origin is accepted, if it returns false the origin is not accepted

For example:

# Matches everything
plug Corsica, origins: "*"

# Matches one of the given origins
plug Corsica, origins: ["http://foo.com", "http://bar.com"]

# Matches the given regex
plug Corsica, origins: ~r{^https?://(.*.?)foo.com$}

The value of the “access-control-allow-origin” header

The :origins option directly influences the value of the access-control-allow-origin response header. When :origins is "*", the access-control-allow-origin header is set to * as well. If the request’s origin is allowed and :origins is something different than "*", then you won’t see that value as the value of the access-control-allow-origin header: the value of this header will be the request’s origin (which is mirrored). This behaviour is intentional: it’s compliant with the W3C CORS specification and at the same time it provides the advantage of “hiding” all the allowed origins from the client (which only sees its origin as an allowed origin).

The “vary” header

If :origins is a list with more than one value and the request origin matches, then a Vary: Origin header is added to the response.

Options

Besides :origins, the options that can be passed to the use macro, to Corsica.Router.resource/2 and to the Corsica plug (along with their default values) are:

• :allow_headers - a list of headers (as binaries). Sets the value of the access-control-allow-headers header used with preflight requests. Defaults to [] (no headers are allowed).
• :allow_methods - is a list of HTTP methods (as binaries). Sets the value of the access-control-allow-methods header used with preflight requests. Defaults to ["HEAD", "GET", "POST", "PUT", "PATCH", "DELETE"].
• :allow_credentials - is a boolean. If true, sends the access-control-allow-credentials with value true. If false, prevents that header from being sent at all. If :origins is set to "*" and :allow_credentials is set to true, then the value of the access-control-allow-origin header will always be the value of the origin request header (as per the W3C CORS specification) and not *. Defaults to false.
• :expose_headers - is a list of headers (as binaries). Sets the value of the access-control-expose-headers response header. This option does not have a default value; if it’s not provided, the access-control-expose-headers header is not sent at all.
• :max_age - is an integer or a binary. Sets the value of the access-control-max-age header used with preflight requests. This option does not have a default value; if it’s not provided, the access-control-max-age header is not sent at all.
• :log - see the “Logging” section below.

Responding to preflight requests

When the request is a preflight request and a valid one (valid origin, valid request method, and valid request headers), Corsica directly sends a response to that request instead of just adding headers to the connection (so that a possible plug pipeline can continue). To do this, Corsica halts the connection (through Plug.Conn.halt/1) and sends a response.

Validity of CORS requests

“Invalid CORS request” can mean that a request doesn’t have an Origin header (so it’s not a CORS request at all) or that it’s a CORS request but:

• the Origin request header doesn’t match any of the allowed origins
• the request is a preflight request but it requests to use a method or some headers that are not allowed (via the Access-Control-Request-Method and Access-Control-Request-Headers headers)

Logging

Corsica supports basic logging functionalities; it can log whether a CORS request is a valid one, what CORS headers are added to a response and similar information. Corsica distinguishes between three “types” of logs:

• “rejected” logs, for when the request is “rejected” in the CORS perspective, e.g., it’s not allowed
• “invalid” logs, for when the request is not a simple CORS request or not a CORS preflight request
• “accepted” logs, for when the request is a valid and accepted CORS request

It’s possible to configure these logs with the :log option, which is a keyword list with the :rejected, :invalid, and :accepted options. These options specify the logging level of each type of log. The defaults are:

• rejected: :warn
• invalid: :debug
• accepted: :debug

For example:

plug Corsica, log: [rejected: :error]

false can be used as the value of a level for a log type to suppress that type completely.