server/org.http4s.server.middleware/CORSPolicy

CORSPolicy

sealed class CORSPolicy(allowOrigin: AllowOrigin, allowCredentials: AllowCredentials, exposeHeaders: ExposeHeaders, allowMethods: AllowMethods, allowHeaders: AllowHeaders, maxAge: MaxAge)

A middleware that applies the CORS protocol to any Http value. Obtain a reference to a CORSPolicy via the CORS object, which represents a default policy.

Requests with an Origin header will receive the appropriate CORS headers. More headers are available for "pre-flight" requests, those whose method is OPTIONS and has an Access-Control-Request-Method header.

Requests without the required headers, or requests that fail a CORS origin, method, or headers check are passed through to the underlying Http function, but do not receive any CORS headers in the response. The user agent will then block sharing the resource across origins according to the CORS protocol.

Companion
object
class Object
trait Matchable
class Any

Value members

Concrete methods

def apply[F[_], G[_]](http: Http[F, G])(implicit evidence$3: Applicative[F]): Http[F, G]
def httpApp[F[_]](httpApp: HttpApp[F])(implicit evidence$8: Applicative[F]): HttpApp[F]
def httpRoutes[F[_]](httpRoutes: HttpRoutes[F])(implicit evidence$7: Monad[F]): HttpRoutes[F]
def impl[F[_], G[_]](http: Http[F, G], preflightResponder: Http[F, G])(implicit evidence$6: Functor[F]): Http[F, G]
def withAllowCredentials(b: Boolean): CORSPolicy

Allow credentials. Sends an Access-Control-Allow-Credentials: * on valid CORS requests if true, and omits the header if false.

Allow credentials. Sends an Access-Control-Allow-Credentials: * on valid CORS requests if true, and omits the header if false.

For security purposes, it is an invalid per the Fetch Living Standard that defines CORS to set this to true when any origin is allowed.

def withAllowHeadersAll: CORSPolicy

Allows CORS requests with any headers if credentials are not allowed. If credentials are allowed, allows requests with a literal header name of *, which is almost certainly not what you mean, but per spec.

Allows CORS requests with any headers if credentials are not allowed. If credentials are allowed, allows requests with a literal header name of *, which is almost certainly not what you mean, but per spec.

Sends an Access-Control-Allow-Headers: * header on valid CORS preflight requests.

def withAllowHeadersIn(headers: Set[CIString]): CORSPolicy

Allows CORS requests whose request headers are a subset of the headers enumerated here, or are CORS-safelisted.

Allows CORS requests whose request headers are a subset of the headers enumerated here, or are CORS-safelisted.

If preflight requests send an Access-Control-Request-Headers header, its value must be a subset of those passed here.

Sends an Access-Control-Allow-Headers header with the specified headers on valid CORS preflight requests.

def withAllowHeadersReflect: CORSPolicy

Reflects the Access-Control-Request-Headers back as Access-Control-Allow-Headers on preflight requests. This is most useful when credentials are allowed and a wildcard for Access-Control-Allow-Headers would be treated literally.

Reflects the Access-Control-Request-Headers back as Access-Control-Allow-Headers on preflight requests. This is most useful when credentials are allowed and a wildcard for Access-Control-Allow-Headers would be treated literally.

Sends an Access-Control-Allow-Headers header with the specified headers on valid CORS preflight requests.

def withAllowMethodsAll: CORSPolicy

Allows CORS requests with any method if credentials are not allowed. If credentials are allowed, allows requests with a literal method of *, which is almost certainly not what you mean, but per spec.

Allows CORS requests with any method if credentials are not allowed. If credentials are allowed, allows requests with a literal method of *, which is almost certainly not what you mean, but per spec.

Sends an Access-Control-Allow-Headers: * header on valid CORS preflight requests.

def withAllowMethodsIn(methods: Set[Method]): CORSPolicy

Allows CORS requests with any of the specified methods allowed.

Allows CORS requests with any of the specified methods allowed.

Preflight requests must send a matching Access-Control-Request-Method header to receive a CORS response.

Sends an Access-Control-Allow-Headers header with the specified headers on valid CORS preflight requests.

def withAllowOriginAll: CORSPolicy

Allow CORS requests from any origin with an Access-Control-Allow-Origin of *.

Allow CORS requests from any origin with an Access-Control-Allow-Origin of *.

def withAllowOriginHeader(p: Origin => Boolean): CORSPolicy

Allow requests from any origin matching the predicate p. On matching requests, the request origin is reflected as the Access-Control-Allow-Origin header.

Allow requests from any origin matching the predicate p. On matching requests, the request origin is reflected as the Access-Control-Allow-Origin header.

The Origin header contains some arcane settings, like multiple origins, or a null origin. withAllowOriginHost is generally more convenient.

def withAllowOriginHost(p: Host => Boolean): CORSPolicy

Allow requests from any origin host matching the predicate p. The origin host is the first value in the request's Origin header, if not null header, unless it is null. Examples:

Allow requests from any origin host matching the predicate p. The origin host is the first value in the request's Origin header, if not null header, unless it is null. Examples:

  • Origin: http://www.example.com => http://www.example.com
  • Origin: http://www.example.com, http://example.net => http://www.example.com
  • Origin: null => always false

A Set[Origin.Host] is often a good choice here, but a predicate is offered to support more advanced matching.

def withAllowOriginHostCi(p: CIString => Boolean): CORSPolicy

Allow requests from any origin host whose case-insensitive rendering matches predicate p. A concession to the fact that constructing Origin.Host values is verbose.

Allow requests from any origin host whose case-insensitive rendering matches predicate p. A concession to the fact that constructing Origin.Host values is verbose.

See also
def withExposeHeadersAll: CORSPolicy

Exposes all response headers to the origin.

Exposes all response headers to the origin.

Sends an Access-Control-Expose-Headers: * header on valid CORS non-preflight requests.

def withExposeHeadersIn(names: Set[CIString]): CORSPolicy

Exposes specific response headers to the origin. These are in addition to CORS-safelisted response headers.

Exposes specific response headers to the origin. These are in addition to CORS-safelisted response headers.

Sends an Access-Control-Expose-Headers header with names as a comma-delimited string on valid CORS non-preflight requests.

def withExposeHeadersNone: CORSPolicy

Exposes no response headers to the origin beyond the CORS-safelisted response headers.

Exposes no response headers to the origin beyond the CORS-safelisted response headers.

Sends an Access-Control-Expose-Headers header with names as a comma-delimited string on valid CORS non-preflight requests.

def withMaxAge(duration: FiniteDuration): CORSPolicy

Sets the duration the results can be cached. The duration is truncated to seconds. A negative value results in a cache duration of zero.

Sets the duration the results can be cached. The duration is truncated to seconds. A negative value results in a cache duration of zero.

Sends an Access-Control-Max-Age header with the duration in seconds on preflight requests.

def withMaxAgeDefault: CORSPolicy

Sets the duration the results can be cached to the user agent's default. This suppresses the Access-Control-Max-Age header.

Sets the duration the results can be cached to the user agent's default. This suppresses the Access-Control-Max-Age header.

def withMaxAgeDisableCaching: CORSPolicy

Instructs the client to not cache any preflight results.

Instructs the client to not cache any preflight results.

Sends an Access-Control-Max-Age: -1 header