sealed class CORSPolicy extends AnyRef
A middleware that applies the CORS protocol to any Http
value.
Obtain a reference to a CORSPolicy
via the CORS object,
which represents a default policy.
Requests with an Origin header will receive the appropriate CORS
headers. More headers are available for "pre-flight" requests,
those whose method is OPTIONS
and has an
Access-Control-Request-Method
header.
Requests without the required headers, or requests that fail a CORS origin, method, or headers check are passed through to the underlying Http function, but do not receive any CORS headers in the response. The user agent will then block sharing the resource across origins according to the CORS protocol.
- Source
- CORS.scala
- Alphabetic
- By Inheritance
- CORSPolicy
- AnyRef
- Any
- Hide All
- Show All
- Public
- All
Instance Constructors
- new CORSPolicy(allowOrigin: AllowOrigin, allowCredentials: AllowCredentials, exposeHeaders: ExposeHeaders, allowMethods: AllowMethods, allowHeaders: AllowHeaders, maxAge: MaxAge)
Value Members
-
final
def
!=(arg0: Any): Boolean
- Definition Classes
- AnyRef → Any
-
final
def
##(): Int
- Definition Classes
- AnyRef → Any
-
final
def
==(arg0: Any): Boolean
- Definition Classes
- AnyRef → Any
- def apply[F[_], G[_]](http: Http[F, G])(implicit arg0: Applicative[F]): Http[F, G]
-
final
def
asInstanceOf[T0]: T0
- Definition Classes
- Any
-
def
clone(): AnyRef
- Attributes
- protected[lang]
- Definition Classes
- AnyRef
- Annotations
- @throws( ... ) @native()
-
final
def
eq(arg0: AnyRef): Boolean
- Definition Classes
- AnyRef
-
def
equals(arg0: Any): Boolean
- Definition Classes
- AnyRef → Any
-
def
finalize(): Unit
- Attributes
- protected[lang]
- Definition Classes
- AnyRef
- Annotations
- @throws( classOf[java.lang.Throwable] )
-
final
def
getClass(): Class[_]
- Definition Classes
- AnyRef → Any
- Annotations
- @native()
-
def
hashCode(): Int
- Definition Classes
- AnyRef → Any
- Annotations
- @native()
- def httpApp[F[_]](httpApp: HttpApp[F])(implicit arg0: Applicative[F]): HttpApp[F]
- def httpRoutes[F[_]](httpRoutes: HttpRoutes[F])(implicit arg0: Monad[F]): HttpRoutes[F]
-
final
def
isInstanceOf[T0]: Boolean
- Definition Classes
- Any
-
final
def
ne(arg0: AnyRef): Boolean
- Definition Classes
- AnyRef
-
final
def
notify(): Unit
- Definition Classes
- AnyRef
- Annotations
- @native()
-
final
def
notifyAll(): Unit
- Definition Classes
- AnyRef
- Annotations
- @native()
-
final
def
synchronized[T0](arg0: ⇒ T0): T0
- Definition Classes
- AnyRef
-
def
toString(): String
- Definition Classes
- AnyRef → Any
-
final
def
wait(): Unit
- Definition Classes
- AnyRef
- Annotations
- @throws( ... )
-
final
def
wait(arg0: Long, arg1: Int): Unit
- Definition Classes
- AnyRef
- Annotations
- @throws( ... )
-
final
def
wait(arg0: Long): Unit
- Definition Classes
- AnyRef
- Annotations
- @throws( ... ) @native()
-
def
withAllowCredentials(b: Boolean): CORSPolicy
Allow credentials.
Allow credentials. Sends an
Access-Control-Allow-Credentials: *
on valid CORS requests if true, and omits the header if false.For security purposes, it is an invalid per the Fetch Living Standard that defines CORS to set this to
true
when any origin is allowed. -
def
withAllowHeadersAll: CORSPolicy
Allows CORS requests with any headers if credentials are not allowed.
Allows CORS requests with any headers if credentials are not allowed. If credentials are allowed, allows requests with a literal header name of
*
, which is almost certainly not what you mean, but per spec.Sends an
Access-Control-Allow-Headers: *
header on valid CORS preflight requests. -
def
withAllowHeadersIn(headers: Set[CIString]): CORSPolicy
Allows CORS requests whose request headers are a subset of the headers enumerated here, or are CORS-safelisted.
Allows CORS requests whose request headers are a subset of the headers enumerated here, or are CORS-safelisted.
If preflight requests send an
Access-Control-Request-Headers
header, its value must be a subset of those passed here.Sends an
Access-Control-Allow-Headers
header with the specified headers on valid CORS preflight requests. -
def
withAllowHeadersReflect: CORSPolicy
Reflects the
Access-Control-Request-Headers
back asAccess-Control-Allow-Headers
on preflight requests.Reflects the
Access-Control-Request-Headers
back asAccess-Control-Allow-Headers
on preflight requests. This is most useful when credentials are allowed and a wildcard forAccess-Control-Allow-Headers
would be treated literally.Sends an
Access-Control-Allow-Headers
header with the specified headers on valid CORS preflight requests. -
def
withAllowHeadersStatic(headers: Set[CIString]): CORSPolicy
Returns a static value in
Access-Control-Allow-Headers
on preflight requests consisting of the supplied headers.Returns a static value in
Access-Control-Allow-Headers
on preflight requests consisting of the supplied headers.Sends an
Access-Control-Allow-Headers
header with the specified headers on valid CORS preflight requests. -
def
withAllowMethodsAll: CORSPolicy
Allows CORS requests with any method if credentials are not allowed.
Allows CORS requests with any method if credentials are not allowed. If credentials are allowed, allows requests with a literal method of
*
, which is almost certainly not what you mean, but per spec.Sends an
Access-Control-Allow-Headers: *
header on valid CORS preflight requests. -
def
withAllowMethodsIn(methods: Set[Method]): CORSPolicy
Allows CORS requests with any of the specified methods allowed.
Allows CORS requests with any of the specified methods allowed.
Preflight requests must send a matching
Access-Control-Request-Method
header to receive a CORS response.Sends an
Access-Control-Allow-Headers
header with the specified headers on valid CORS preflight requests. -
def
withAllowOriginAll: CORSPolicy
Allow CORS requests from any origin with an
Access-Control-Allow-Origin
of*
. -
def
withAllowOriginHeader(p: (Origin) ⇒ Boolean): CORSPolicy
Allow requests from any origin matching the predicate
p
.Allow requests from any origin matching the predicate
p
. On matching requests, the request origin is reflected as theAccess-Control-Allow-Origin
header.The Origin header contains some arcane settings, like multiple origins, or a
null
origin.withAllowOriginHost
is generally more convenient. -
def
withAllowOriginHost(p: (Host) ⇒ Boolean): CORSPolicy
Allow requests from any origin host matching the predicate
p
.Allow requests from any origin host matching the predicate
p
. The origin host is the first value in the request'sOrigin
header, if notnull
header, unless it isnull
. Examples:-
Origin: http://www.example.com
=>http://www.example.com
-Origin: http://www.example.com, http://example.net
=>http://www.example.com
-Origin: null
=> always falseA
Set[Origin.Host]
is often a good choice here, but a predicate is offered to support more advanced matching. -
def
withAllowOriginHostCi(p: (CIString) ⇒ Boolean): CORSPolicy
Allow requests from any origin host whose case-insensitive rendering matches predicate
p
.Allow requests from any origin host whose case-insensitive rendering matches predicate
p
. A concession to the fact that constructing Origin.Host values is verbose.- See also
-
def
withExposeHeadersAll: CORSPolicy
Exposes all response headers to the origin.
Exposes all response headers to the origin.
Sends an
Access-Control-Expose-Headers: *
header on valid CORS non-preflight requests. -
def
withExposeHeadersIn(names: Set[CIString]): CORSPolicy
Exposes specific response headers to the origin.
Exposes specific response headers to the origin. These are in addition to CORS-safelisted response headers.
Sends an
Access-Control-Expose-Headers
header with names as a comma-delimited string on valid CORS non-preflight requests. -
def
withExposeHeadersNone: CORSPolicy
Exposes no response headers to the origin beyond the CORS-safelisted response headers.
Exposes no response headers to the origin beyond the CORS-safelisted response headers.
Sends an
Access-Control-Expose-Headers
header with names as a comma-delimited string on valid CORS non-preflight requests. -
def
withMaxAge(duration: FiniteDuration): CORSPolicy
Sets the duration the results can be cached.
Sets the duration the results can be cached. The duration is truncated to seconds. A negative value results in a cache duration of zero.
Sends an
Access-Control-Max-Age
header with the duration in seconds on preflight requests. -
def
withMaxAgeDefault: CORSPolicy
Sets the duration the results can be cached to the user agent's default.
Sets the duration the results can be cached to the user agent's default. This suppresses the
Access-Control-Max-Age
header. -
def
withMaxAgeDisableCaching: CORSPolicy
Instructs the client to not cache any preflight results.
Instructs the client to not cache any preflight results.
Sends an
Access-Control-Max-Age: -1
header