All notable changes to this project will be documented in this file.
- Refactored codebase
- Support declaring custom protocols in origin
- Allow //* to match // and / paths
- Use Rack::Utils.escape_path instead of Rack::Utils.escape
- Require Rack 2.0 for escape_path method
- Don't try to clean path if invalid.
- Return 400 (Bad Request) on preflights with invalid path
- Use Rack::Utils.escape to make compat with Rack 1.6.0
- Update Gem spec to require rack >= 1.6.0
- Escape and resolve path before evaluating resource rules (thanks to Colby Morgan)
- Don't send 'Content-Type' header with pre-flight requests
- Allow ruby array for vary header config
- Automatically allow simple headers when headers are set
- Allow lambda origin configuration
- Don't implicitly accept 'null' origins when 'file://' is specified (cyu#134)
- Ignore '' origins (cyu#139)
- Default credentials option on resources to false (cyu#95)
- Don't allow credentials option to be true if '*' is specified is origin (cyu#142)
- Don't reflect Origin header when '*' is specified as origin (cyu#142)
- Don't respond immediately on non-matching preflight requests instead of sending them through the app (cyu#106)
- Return miss result in X-Rack-CORS instead of incorrectly returning preflight-hit
- Don't set HTTP_ORIGIN with HTTP_X_ORIGIN if nil
- Calculate vary headers for non-CORS resources
- Support custom vary headers for resource
- Support :if option for resource
- Support :any as a possible value for :methods option
- Don't symbolize incoming HTTP request methods
- Changed the env key to rack.cors to avoid Rack::Lint warnings
- Added support for defining a logger with a Proc
- Return a X-Rack-CORS header when in debug mode detailing how Rack::Cors processed a request
- Added support for non HTTP/HTTPS origins when just a domain is specified
- Changed the log level of the fallback logger to DEBUG
- Print warning when attempting to use :any as an allowed method
- Treat incoming
Origin: nullheaders as file://