Giters

cyu / rack-cors

Rack Middleware for handling Cross-Origin Resource Sharing (CORS), which makes cross-origin AJAX possible.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Custom protocols and defining their origin

stefansundin opened this issue · comments

commented

Hello there,

I am developing a chrome extension that talks to my website. The extension's origin is

chrome-extension://bjpcphhoenjjadogjjcelgjnnfgamiog

so I naturally defined

origins "chrome-extension://bjpcphhoenjjadogjjcelgjnnfgamiog"

in Rack::Cors' configuration.

But it didn't work. I got a 404 on the OPTIONS request. Weird, I though.

After some digging, I found this piece of code:

rack-cors/lib/rack/cors.rb

Line 256 in 42ebe6c

else Regexp.compile("^[a-z][a-z0-9.+-]*:\\\/\\\/#{Regexp.quote(n)}$") 

            case n
            when Regexp,
                 /^https?:\/\//,
                 'file://'        then n
            when '*'              then @public_resources = true; n
            else                  Regexp.compile("^[a-z][a-z0-9.+-]*:\\\/\\\/#{Regexp.quote(n)}$")
            end

So unless your protocol is http, https, or file, you are not expected to specify the protocol? I tested it and using origins "bjpcphhoenjjadogjjcelgjnnfgamiog" worked.

What is the reason to even have that else clause? To me it would make sense to change that code to:

            @public_resources = true if n == '*'
            n

I guess I'm mostly confused of the origin of that code? It doesn't seem necessary, isn't explained in the docs as far as I could see, and it prevents you from using arbitrary protocols as strings.

Thanks!

commented

The most common usage of this middleware would be for normal HTTP and HTTPS usage, so configuration is optimized for that. The origin intent is to allow example.net to support both protocols (and not require them to be specified individually).

While I don't really have a strong preference for this style anymore, I'm inclined to leave it as it doesn't break backwards compatibility and your use case is still supported (as a regex).

commented

I'm sorry to bring this up again after two years, but I have lost many hours on a similar problem, but now involving Ionic.

On iOS the Origin header is set to ionic://localhost (https://ionicframework.com/docs/faq/cors#ionic-webview-3-x-plugin-on-cordova).

Thus using origins 'ionic://localhost' led to errors when testing the app on iOS devices.

And I can confirm that origins 'localhost' works.

Is it worth to mention this behaviour for protocols different than http, https or file?

commented

I'm developing a Chrome extension and this also sent me on a 3-hour spree until I found this ticket. Thanks for the workaround @stefansundin.

Documented + PR: #219

commented

After reviewing @aguynamedben documentation PR, I realize I wasn't looking at this issue correctly so I'm re-opening this issue.

commented

This issue should be fixed with [#225], which is in 2.0.0.rc1