Further refactor cross-origin

- Add all [required headers](https://github.com/britg/sinatra-cross_origin/blob/master/lib/s inatra/cross_origin.rb#L51-L58) - Respond to preflight requests #18
2024-11-22 02:52:49 +01:00 · 2016-04-24 16:19:36 +01:00 · 2016-04-24 16:19:36 +01:00 · 59df76477e
commit 59df76477e
parent 260dc65dff
2 changed files with 29 additions and 3 deletions
--- a/lib/api.rb
+++ b/lib/api.rb
@ -6,7 +6,17 @@ require 'yajl'
 require 'quote'

 configure do
-  enable :cross_origin
+  set :options_response_headers,
+      'Allow'                            => 'HEAD, GET, OPTIONS',
+      'Access-Control-Allow-Headers'     => 'X-Requested-With, X-HTTP-Method-Override, Content-Type, Cache-Control, Accept'
+
+  set :cors_response_headers,
+      'Access-Control-Allow-Credentials' => 'true',
+      'Access-Control-Allow-Headers'     => '*, Content-Type, Accept, AUTHORIZATION, Cache-Control',
+      'Access-Control-Allow-Methods'     => 'POST, GET, OPTIONS',
+      'Access-Control-Allow-Origin'      => '*',
+      'Access-Control-Expose-Headers'    => 'Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma',
+      'Access-Control-Max-Age'           => '1728000'
 end

 configure :development do
@ -41,22 +51,31 @@ helpers do
  def halt_with_message(status, message)
    halt status, Yajl::Encoder.encode(error: message)
  end
+
+  def enable_cross_origin
+    headers settings.cors_response_headers
+  end
 end

-before do
-  headers 'Access-Control-Allow-Origin' => '*'
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests
+options '*' do
+  headers settings.options_response_headers
+  pass
 end

 get '/' do
+  enable_cross_origin
  jsonp details: 'http://fixer.io', version: App.version
 end

 get '/latest' do
+  enable_cross_origin
  last_modified quote[:date]
  jsonp quote
 end

 get(/(?<date>\d{4}-\d{2}-\d{2})/) do
+  enable_cross_origin
  last_modified quote[:date]
  jsonp quote
 end
--- a/spec/api_spec.rb
+++ b/spec/api_spec.rb
@ -56,6 +56,13 @@ describe 'the API' do
    %w(/ /latest /2012-11-20).each do |path|
      get path
      assert_equal '*', headers['Access-Control-Allow-Origin']
+      refute_empty headers['Access-Control-Allow-Methods']
    end
  end
+
+  it 'responds to preflight requests' do
+    options '/'
+    refute_empty headers['Allow']
+    refute_empty headers['Access-Control-Allow-Headers']
+  end
 end