Corsica v1.1.3 Corsica View Source

Plug-based swiss-army knife for CORS requests.

Corsica provides facilities for dealing with CORS requests and responses. It provides:

  • low-level functions that let you decide when and where to deal with CORS requests and CORS response headers;
  • a plug that handles CORS requests and responds to preflight requests;
  • a router that can be used in your modules in order to turn them into CORS handlers which provide fine control over dealing with CORS requests.

How it works

Corsica is compliant with the W3C CORS specification. As per this specification, Corsica doesn't put any CORS response headers in a connection that holds an invalid CORS request. To know what "invalid" CORS request means, have a look at the "Validity of CORS requests" section below.

When some options that are not mandatory and have no default value (such :max_age) are not passed to Corsica (in one of the available ways to pass options to it), the relative header will often not be sent at all. This is compliant with the specification and at the same time it reduces the size of the response, even if just by a handful of bytes.

The following is a list of all the CORS response headers supported by Corsica:

  • Access-Control-Allow-Origin
  • Access-Control-Allow-Methods
  • Access-Control-Allow-Headers
  • Access-Control-Allow-Credentials
  • Access-Control-Expose-Headers
  • Access-Control-Max-Age

Using Corsica as a plug

When Corsica is used as a plug, it intercepts all requests; it only sets a bunch of CORS headers for regular CORS requests, but it responds (with a 200 OK and the appropriate headers) to preflight requests.

If you want to use Corsica as a plug, be sure to plug it in your plug pipeline before any router: routers like Plug.Router (or Phoenix.Router) respond to HTTP verbs as well as request urls, so if Corsica is plugged after a router then preflight requests (which are OPTIONS requests) will often result in 404 errors since no route responds to them.

defmodule MyApp.Endpoint do
  plug Head
  plug Corsica, max_age: 600, origins: "*", expose_headers: ~w(X-Foo)
  plug MyApp.Router
end

Using Corsica as a router generator

When Corsica is used as a plug, it doesn't provide control over which urls are CORS-enabled or with which options. In order to do that, you can use Corsica.Router. See the documentation for Corsica.Router for more information.

Origins

Allowed origins must be specified by passing the :origins options either when using a Corsica-based router or when plugging Corsica in a plug pipeline. If :origins is not provided, an error will be raised.

:origins can be a single value or a list of values. The origin of a request (specified by the "origin" request header) will be considered a valid origin if it "matches" at least one of the origins specified in :origins. What "matches" means depends on the type of origin. Origins can be:

  • strings - the actual origin and the allowed origin have to be identical
  • regexes - the actual origin has to match the allowed regex (as per Regex.match?/2)
  • {module, function} tuples - module.function is called with the actual origin as its only argument; if it returns true the origin is accepted, if it returns false the origin is not accepted

The value "*" can also be used to match every origin and reply with * as the value of the access-control-allow-origin header. If "*" is used, it must be used as the only value of :origins (that is, it can't be used inside a list of accepted origins).

For example:

# Matches everything.
plug Corsica, origins: "*"

# Matches one of the given origins
plug Corsica, origins: ["http://foo.com", "http://bar.com"]

# Matches the given regex
plug Corsica, origins: ~r{^https?://(.*.?)foo.com$}

The value of the "access-control-allow-origin" header

The :origins option directly influences the value of the access-control-allow-origin response header. When :origins is "*", the access-control-allow-origin header is set to * as well. If the request's origin is allowed and :origins is something different than "*", then you won't see that value as the value of the access-control-allow-origin header: the value of this header will be the request's origin (which is mirrored). This behaviour is intentional: it's compliant with the W3C CORS specification and at the same time it provides the advantage of "hiding" all the allowed origins from the client (which only sees its origin as an allowed origin).

The "vary" header

When Corsica is configured such that the access-control-allow-origin response header will vary depending on the origin request header then a vary: origin response header will be set.

Options

Besides :origins, the options that can be passed to the use macro, to Corsica.Router.resource/2 and to the Corsica plug (along with their default values) are:

  • :allow_methods - a list of HTTP methods (as binaries) or :all. This is the list of methods allowed in the access-control-request-method header of preflight requests. If the method requested by the preflight request is in this list or is a simple method (HEAD, GET, or POST), then that method is always allowed. The methods specified by this option are returned in the access-control-allow-methods response header. Defaults to ["PUT", "PATCH", "DELETE"] (which means these methods are allowed alongside simple methods). If the value of this option is :all, all request methods are allowed and only the method in access-control-request-method is returned as the value of the access-control-allow-methods header.

  • :allow_headers - a list of headers (as binaries) or :all. This is the list of headers allowed in the access-control-request-headers header of preflight requests. If a header requested by the preflight request is in this list or is a simple header (Accept, Accept-Language, or Content-Language), then that header is always allowed. The headers specified by this option are returned in the access-control-allow-headers response header. Defaults to [] (which means only the simple headers are allowed). If the value of this option is :all, all request headers are allowed and only the headers in access-control-request-headers are returned as the value of the access-control-allow-headers header.

  • :allow_credentials - a boolean. If true, sends the access-control-allow-credentials with value true. If false, prevents that header from being sent at all. If :origins is set to "*" and :allow_credentials is set to true, then the value of the access-control-allow-origin header will always be the value of the origin request header (as per the W3C CORS specification) and not *. Defaults to false.

  • :expose_headers - a list of headers (as binaries). Sets the value of the access-control-expose-headers response header. This option does not have a default value; if it's not provided, the access-control-expose-headers header is not sent at all.

  • :max_age - an integer or a binary. Sets the value of the access-control-max-age header used with preflight requests. This option does not have a default value; if it's not provided, the access-control-max-age header is not sent at all.

  • :log - see the "Logging" section below. Defaults to false.

Responding to preflight requests

When the request is a preflight request and a valid one (valid origin, valid request method, and valid request headers), Corsica directly sends a response to that request instead of just adding headers to the connection (so that a possible plug pipeline can continue). To do this, Corsica halts the connection (through Plug.Conn.halt/1) and sends a response.

Validity of CORS requests

"Invalid CORS request" can mean that a request doesn't have an Origin header (so it's not a CORS request at all) or that it's a CORS request but:

  • the Origin request header doesn't match any of the allowed origins
  • the request is a preflight request but it requests to use a method or some headers that are not allowed (via the Access-Control-Request-Method and Access-Control-Request-Headers headers)

Logging

Corsica supports basic logging functionalities; it can log whether a CORS request is a valid one, what CORS headers are added to a response and similar information. Corsica distinguishes between three "types" of logs:

  • "rejected" logs, for when the request is "rejected" in the CORS perspective, e.g., it's not allowed
  • "invalid" logs, for when the request is not a simple CORS request or not a CORS preflight request
  • "accepted" logs, for when the request is a valid and accepted CORS request

It's possible to configure these logs with the :log option, which is a keyword list with the :rejected, :invalid, and :accepted options. These options specify the logging level of each type of log. The defaults values for each level are:

  • rejected: :warn
  • invalid: :debug
  • accepted: :debug

false can be used as the value of a level for a log type to suppress that type completely. false can also be used as the value of the :log option directly to suppress all logs.

The default value for the :log option is false.

For example:

plug Corsica, log: [rejected: :error]
plug Corsica, log: false
plug Corsica, log: [rejected: :info, accepted: false]

Link to this section Summary

Functions

Callback implementation for Plug.call/2.

Checks whether a given connection holds a CORS request.

Callback implementation for Plug.init/1.

Checks whether a given connection holds a preflight CORS request.

Adds CORS response headers to a preflight request to conn.

Adds CORS response headers to a simple CORS request to conn.

Sends a CORS preflight response regardless of the request being a valid CORS request or not.

Link to this section Functions

Callback implementation for Plug.call/2.

Checks whether a given connection holds a CORS request.

This function doesn't check if the CORS request is a valid CORS request: it just checks that it's a CORS request, that is, it has an Origin request header.

Callback implementation for Plug.init/1.

Link to this function

preflight_req?(conn)

View Source
preflight_req?(Plug.Conn.t()) :: boolean()

Checks whether a given connection holds a preflight CORS request.

This function doesn't check that the preflight request is a valid CORS request: it just checks that it's a preflight request. A request is considered to be a CORS preflight request if and only if its request method is OPTIONS and it has a Access-Control-Request-Method request header.

Note that if a request is a valid preflight request, that makes it a valid CORS request as well. You can thus call just preflight_req?/1 instead of preflight_req?/1 and cors_req?/1.

Link to this function

put_cors_preflight_resp_headers(conn, opts)

View Source

Adds CORS response headers to a preflight request to conn.

This function assumes nothing about conn. If conn holds an invalid CORS request or an invalid preflight request, then conn is returned unchanged; the absence of CORS headers will be interpreted as an invalid CORS response by the browser (according to the W3C spec).

If the request is a valid CORS request, the following headers will be added to the response:

  • Access-Control-Allow-Origin
  • Access-Control-Allow-Methods
  • Access-Control-Allow-Headers

and the following headers will optionally be added (based on the value of the corresponding options):

  • Access-Control-Allow-Credentials (if the :allow_credentials option is true)
  • Access-Control-Max-Age (if the :max_age option is present)

Options

This function accepts the same options accepted by the Corsica plug (described in the documentation for the Corsica module), including :log for logging.

Examples

put_cors_preflight_resp_headers conn, [
  max_age: 86400,
  allow_headers: ~w(X-Header),
  origins: ~r/w+.foo.com$/
]
Link to this function

put_cors_simple_resp_headers(conn, opts)

View Source

Adds CORS response headers to a simple CORS request to conn.

This function assumes nothing about conn. If conn holds an invalid CORS request or a request whose origin is not allowed, conn is returned unchanged; the absence of CORS headers will be interpreted as an invalid CORS response by the browser (according to the W3C spec).

If the CORS request is valid, the following response headers are set:

  • Access-Control-Allow-Origin

and the following headers are optionally set (if the corresponding option is present):

  • Access-Control-Expose-Headers (if the :expose_headers option is present)
  • Access-Control-Allow-Credentials (if the :allow_credentials option is true)

Options

This function accepts the same options accepted by the Corsica plug (described in the documentation for the Corsica module), including :log for logging.

Examples

conn
|> put_cors_simple_resp_headers(origins: "*", allow_credentials: true)
|> send_resp(200, "Hello!")
Link to this function

send_preflight_resp(conn, status \\ 200, body \\ "", opts)

View Source

Sends a CORS preflight response regardless of the request being a valid CORS request or not.

This function assumes nothing about conn. If it's a valid CORS preflight request with an allowed origin, CORS headers are set by calling put_cors_preflight_resp_headers/2 and the response is sent with status status and body body. conn is halted before being sent.

The response is always sent because if the request is not a valid CORS request, then no CORS headers will be added to the response. This behaviour will be interpreted by the browser as a non-allowed preflight request, as expected.

For more information on what headers are sent with the response if the preflight request is valid, look at the documentation for put_cors_preflight_resp_headers/2.

Options

This function accepts the same options accepted by the Corsica plug (described in the documentation for the Corsica module), including :log for logging.

Examples

This function could be used to manually build a plug that responds to preflight requests. For example:

defmodule MyRouter do
  use Plug.Router
  plug :match
  plug :dispatch

  options "/foo",
    do: Corsica.send_preflight_resp(conn, origins: "*")
  get "/foo",
    do: send_resp(conn, 200, "ok")
end