Skip to content

Commit 359e83c

Browse files
mbbx6sppJulianBirch
mbbx6spp
authored and
JulianBirch
committed
Update docs to describe more secure treatment of cross-origin server configuration
1 parent 8e8b931 commit 359e83c

File tree

1 file changed

+15
-13
lines changed

1 file changed

+15
-13
lines changed

docs/server.md

Lines changed: 15 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -12,23 +12,25 @@ If your tastes/requirements run more to a standardized multi-format REST server,
1212

1313
## Cross Origin Requests
1414

15-
By default the browser blocks ajax requests from a server which is different to the current page. To enable such cross origin requests add the `Access-Control-Allow-Origin` and `Access-Control-Allow-Headers` headers to your response as follows.
15+
By default the browser blocks ajax requests from a server which is different to the current page. To enable such cross origin requests add the `Access-Control-Allow-Origin` and `Access-Control-Allow-Headers` headers to your response as follows. You can use the [`ring-cors`](https://github.com/r0man/ring-cors) library to wrap your routes with customizable CORS middleware.
1616

1717
```clojure
1818

19-
;;using the compojure library
19+
(require '[ring.middleware.cors :refer [wrap-cors]])
2020

21-
(defroutes my-routes
22-
...
23-
(ANY "/my-endpoint" []
24-
{:status 200
25-
:headers {
26-
"Access-Control-Allow-Origin" "*"
27-
"Access-Control-Allow-Headers" "Content-Type"
28-
}
29-
:body body
30-
}))
21+
(def allowed-origins [#"https://example-a.com" #"https://example-b.com"])
22+
23+
(def allowed-methods [:get :post :put :delete])
24+
25+
(def allowed-headers #{:accept :content-type})
26+
27+
;; my-routes already defined somewhere
28+
29+
(def handler
30+
(wrap-cors my-routes :access-control-allow-origin allowed-origins
31+
:access-control-allow-methods allowed-methods
32+
:access-control-allow-headers allowed-headers)
3133

3234
```
3335

34-
`Access-Control-Allow-Origin` is the standard header telling the browser to permit a cross origin request. Set it to the server you expect the ajax requests from or a wildcard (less secure). For Google Chrome we must include the header `Access-Control-Allow-Headers` to prevent it stripping the `Content-Type` header from our requests. We must also change the request method from GET or POST to ANY. The browser will actually submit two requests. The first is an OPTIONS request submitted in order to probe the endpoint. The second is the main GET or POST request. Early versions of compojure may not support this correctly.
36+
`Access-Control-Allow-Origin` is the standard header telling the browser to permit a cross origin request. For Google Chrome we must include the header `Access-Control-Allow-Headers` to prevent it stripping the `Content-Type` header from our requests. For non-simple cross-origin requests (e.g. `GET` or `HEAD` requests) the browser will submit two requests: a _preflight_ and the target request. The first is an `OPTIONS` request submitted in order to probe the endpoint. The second is the main `GET` or `POST` request. To understand this process better, you can read [Mozilla's guide on Cross-Origin Resource Sharing (CORS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS).

0 commit comments

Comments
 (0)