Perl module: Mojolicious::Plugin::SecureCORS - Complete control over CORS
Home Page: https://metacpan.org/release/Mojolicious-Plugin-SecureCORS
License: Other
^ This is a warning seen with Mojolicious 8.67 which has deprecated some methods.
The after_render hook only set's the after_render Access-Control-Expose-Headers header field, but it is impossible to set the Access-Control-Allow-Headers header.
I thougt 'cors.origin' => '*' would send CORS Header for every method not only GET.
How can i secure also POST?
Can't locate object method "route" via package "Mojolicious::Routes" at local/lib/perl5/Mojolicious/Plugin/SecureCORS.pm line 36.
It would be nice if you could clarify what is $r in the synopsis and how do we get it?
i read another closed issue for after_render but anyway:
Mojolicious::Controller doesn't call after_render if you render content dynamically and use render_later/write_chunk
may be better to use
$app->hook(around_action => &_request);
and check $last hook argument in _request
Consider the following app:
#!/usr/bin/env perl
use Mojolicious::Lite -signatures;
plugin 'SecureCORS';
get '/' => sub ($c) {
$c->render;
} => 'index';
app->routes->cors('/preflight')->to('cors.origin' => '*');
del '/preflight' => {'cors.origin' => '*'} => sub ($c) {
$c->render(text => '');
};
app->start;
__DATA__
@@ index.html.ep
<!doctype html>
<html>
<body>
<script>
fetch('http://b.example.com/preflight', {method: 'DELETE'})
.then(r => console.log(r))
</script>
</body>
</html>When a preflight request is handled, it triggers a warning (here):
Use of uninitialized value $opt{"headers"} in split at /app/local/lib/perl5/Mojolicious/Plugin/SecureCORS.pm line 118.
I'm running perl-5.36.0, Mojolicious-9.31, Mojolicious::Plugin::SecureCORS-2.0.4.
To reproduce it you need to run it on two domains (e.g. a.example.com and b.example.com), and open http://a.example.com.
In case you decide to run it under docker, you can use the following gist (only the app slightly differs).
Also, the documentation is pretty much confusing. Check out e.g. the following Stack Overflow question.
I think you should describe how it works at the beginning. That after each request it checks if it's a CORS request (the Origin header is present), if cors.origin is provided, and they match. If that is so, it sets Access-Control-Allow-Origin, and optionally Access-Control-Allow-Credentials, Access-Control-Expose-Headers.
To make preflight requests (OPTIONS) work, one needs to define each such route explicitly with app->routes->cors(). That preflight route takes settings either from the preflight route itself (if cors.origin is set on it), or from the target route. That it checks if cors.origin is specified, if the Origin header matches it, and if Access-Control-Request-Headers matches cors.headers. If that is so, it sets Access-Control-Allow-Origin, Access-Control-Allow-Methods, and possibly Access-Control-Allow-Headers, Access-Control-Allow-Credentials, Access-Control-Max-Age.
And that options are taken from the route, the parent routes and the router. Particularly, when you set cors.origin only on the preflight route, you should do so on the target route as well. Or else, the preflight request will succeed, but the target request won't.
That's like describing the whole logic, but the logic is complex, and I think it's worth it.
And this phrase is totally unclear:
This route use "headers" condition, so you can add your own handler for OPTIONS method on same path after this one, to handle non-CORS OPTIONS requests on same path.
Files shared under the public (or other static directories) don't trigger the necessary hook to get checked for CORS settings.
We've spent most of the weekend trying to get SecureCors to install and its failed every time.
We've tried installing it on
Every time try to install we get the samer error. See below.
Now what puzzles is is that we have installed this (or think we have) many times and we can see it installed on an OpenVZ server running Ubuntu 16.04. It's actually part of a script we use to build a server so we haven't noticed any issues.
We keep going back to the servers, installing the OS, updating them and trying but no joy.
Any suggestions welcomed.
Thanks
Rob
root@demo2:~# cpanm Mojolicious::Plugin::SecureCORS
--> Working on Mojolicious::Plugin::SecureCORS
Fetching http://www.cpan.org/authors/id/P/PO/POWERMAN/Mojolicious-Plugin-SecureCORS-v2.0.1.tar.gz ... OK
Configuring Mojolicious-Plugin-SecureCORS-v2.0.1 ... OK
Building and testing Mojolicious-Plugin-SecureCORS-v2.0.1 ... FAIL
! Installing Mojolicious::Plugin::SecureCORS failed. See /root/.cpanm/work/1534691851.20108/build.log for details. Retry with --force to force install it.
root@demo2:~# cat /root/.cpanm/work/1534691851.20108/build.log
cpanm (App::cpanminus) 1.7044 on perl 5.018002 built for x86_64-linux-gnu-thread-multi
Work directory is /root/.cpanm/work/1534691851.20108
You have make /usr/bin/make
You have /usr/bin/wget
You have /bin/tar: tar (GNU tar) 1.27.1
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by John Gilmore and Jay Fenlason.
You have /usr/bin/unzip
Searching Mojolicious::Plugin::SecureCORS () on cpanmetadb ...
--> Working on Mojolicious::Plugin::SecureCORS
Fetching http://www.cpan.org/authors/id/P/PO/POWERMAN/Mojolicious-Plugin-SecureCORS-v2.0.1.tar.gz
-> OK
Unpacking Mojolicious-Plugin-SecureCORS-v2.0.1.tar.gz
Entering Mojolicious-Plugin-SecureCORS-v2.0.1
Checking configure dependencies from META.json
Checking if you have Module::Build::Tiny 0.034 ... Yes (0.039)
Configuring Mojolicious-Plugin-SecureCORS-v2.0.1
Running Build.PL
Creating new 'Build' script for 'Mojolicious-Plugin-SecureCORS' version 'v2.0.1'
-> OK
Checking dependencies from MYMETA.json ...
Checking if you have List::MoreUtils 0.34 ... Yes (0.428)
Checking if you have Mojolicious::Lite 0 ... Yes (undef)
Checking if you have Mojolicious 6 ... Yes (7.93)
Checking if you have Test::More 0 ... Yes (0.98)
Checking if you have Mojo::Base 0 ... Yes (undef)
Checking if you have Test::Mojo 0 ... Yes (undef)
Building and testing Mojolicious-Plugin-SecureCORS-v2.0.1
cp lib/Mojolicious/Plugin/SecureCORS.pm blib/lib/Mojolicious/Plugin/SecureCORS.pm
# Testing Mojolicious::Plugin::SecureCORS v2.0.1, Perl 5.018002, /usr/bin/perl
t/00.load.t ............... ok
t/01.export.t ............. skipped: This module doesn't export anything
t/author-perlcritic.t ..... skipped: these tests are for testing by the author
t/author-pod-syntax.t ..... skipped: these tests are for testing by the author
# Failed test '204 No Content'
# at t/basic.t line 61.
# got: '404'
# expected: '204'
# Failed test '204 No Content'
# at t/basic.t line 64.
# got: '404'
# expected: '204'
# Failed test '204 No Content'
# at t/basic.t line 67.
# got: '404'
# expected: '204'
# Failed test 'Access-Control-Allow-Origin: http://ya.local'
# at t/basic.t line 70.
# got: undef
# expected: 'http://ya.local'
# Failed test '204 No Content'
# at t/basic.t line 70.
# got: '404'
# expected: '204'
# Failed test '204 No Content'
# at t/basic.t line 73.
# got: '404'
# expected: '204'
# Failed test '204 No Content'
# at t/basic.t line 77.
# got: '404'
# expected: '204'
# Failed test 'Access-Control-Allow-Origin: http://ya.local'
# at t/basic.t line 84.
# got: undef
# expected: 'http://ya.local'
# Failed test 'Access-Control-Allow-Methods: PUT'
# at t/basic.t line 84.
# got: undef
# expected: 'PUT'
# Failed test 'Access-Control-Allow-Headers: X-Requested-With'
# at t/basic.t line 84.
# got: undef
# expected: 'X-Requested-With'
# Failed test 'Access-Control-Allow-Credentials: true'
# at t/basic.t line 84.
# got: undef
# expected: 'true'
# Failed test '204 No Content'
# at t/basic.t line 84.
# got: '404'
# expected: '204'
# Failed test '204 No Content'
# at t/basic.t line 94.
# got: '404'
# expected: '204'
# Looks like you failed 13 tests of 86.
t/basic.t .................
Dubious, test returned 13 (wstat 3328, 0xd00)
Failed 13/86 subtests
t/release-distribution.t .. skipped: these tests are for release candidate testing
Test Summary Report
-------------------
t/basic.t (Wstat: 3328 Tests: 86 Failed: 13)
Failed tests: 27, 30, 33, 35-36, 39, 42, 44-48, 51
Non-zero exit status: 13
Files=6, Tests=87, 1 wallclock secs ( 0.04 usr 0.02 sys + 0.70 cusr 0.17 csys = 0.93 CPU)
Result: FAIL
-> FAIL Installing Mojolicious::Plugin::SecureCORS failed. See /root/.cpanm/work/1534691851.20108/build.log for details. Retry with --force to force install it.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.