Plack-Middleware-CrossOrigin-0.014/0000755000000000000000000000000013437446561017216 5ustar00rootwheel00000000000000Plack-Middleware-CrossOrigin-0.014/LICENSE0000644000000000000000000004347313437446561020236 0ustar00rootwheel00000000000000Terms of the Perl programming language system itself a) the GNU General Public License as published by the Free Software Foundation; either version 1, or (at your option) any later version, or b) the "Artistic License" --- The GNU General Public License, Version 1, February 1989 --- This software is Copyright (c) 2019 by haarg - Graham Knop (cpan:HAARG) . This is free software, licensed under: The GNU General Public License, Version 1, February 1989 GNU GENERAL PUBLIC LICENSE Version 1, February 1989 Copyright (C) 1989 Free Software Foundation, Inc. 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The license agreements of most software companies try to keep users at the mercy of those companies. By contrast, our General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. The General Public License applies to the Free Software Foundation's software and to any other program whose authors commit to using it. You can use it for your programs, too. When we speak of free software, we are referring to freedom, not price. Specifically, the General Public License is designed to make sure that you have the freedom to give away or sell copies of free software, that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of a such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must tell them their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any work containing the Program or a portion of it, either verbatim or with modifications. Each licensee is addressed as "you". 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this General Public License and to the absence of any warranty; and give any other recipients of the Program a copy of this General Public License along with the Program. You may charge a fee for the physical act of transferring a copy. 2. You may modify your copy or copies of the Program or any portion of it, and copy and distribute such modifications under the terms of Paragraph 1 above, provided that you also do the following: a) cause the modified files to carry prominent notices stating that you changed the files and the date of any change; and b) cause the whole of any work that you distribute or publish, that in whole or in part contains the Program or any part thereof, either with or without modifications, to be licensed at no charge to all third parties under the terms of this General Public License (except that you may choose to grant warranty protection to some or all third parties, at your option). c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the simplest and most usual way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this General Public License. d) You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. Mere aggregation of another independent work with the Program (or its derivative) on a volume of a storage or distribution medium does not bring the other work under the scope of these terms. 3. You may copy and distribute the Program (or a portion or derivative of it, under Paragraph 2) in object code or executable form under the terms of Paragraphs 1 and 2 above provided that you also do one of the following: a) accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Paragraphs 1 and 2 above; or, b) accompany it with a written offer, valid for at least three years, to give any third party free (except for a nominal charge for the cost of distribution) a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Paragraphs 1 and 2 above; or, c) accompany it with the information you received as to where the corresponding source code may be obtained. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form alone.) Source code for a work means the preferred form of the work for making modifications to it. For an executable file, complete source code means all the source code for all modules it contains; but, as a special exception, it need not include source code for modules which are standard libraries that accompany the operating system on which the executable file runs, or for standard header files or definitions files that accompany that operating system. 4. You may not copy, modify, sublicense, distribute or transfer the Program except as expressly provided under this General Public License. Any attempt otherwise to copy, modify, sublicense, distribute or transfer the Program is void, and will automatically terminate your rights to use the Program under this License. However, parties who have received copies, or rights to use copies, from you under this General Public License will not have their licenses terminated so long as such parties remain in full compliance. 5. By copying, distributing or modifying the Program (or any work based on the Program) you indicate your acceptance of this license to do so, and all its terms and conditions. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. 7. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of the license which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the license, you may choose any version ever published by the Free Software Foundation. 8. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 9. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 10. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS Appendix: How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to humanity, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) 19yy This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 1, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) 19xx name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (a program to direct compilers to make passes at assemblers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice That's all there is to it! --- The Artistic License 1.0 --- This software is Copyright (c) 2019 by haarg - Graham Knop (cpan:HAARG) . This is free software, licensed under: The Artistic License 1.0 The Artistic License Preamble The intent of this document is to state the conditions under which a Package may be copied, such that the Copyright Holder maintains some semblance of artistic control over the development of the package, while giving the users of the package the right to use and distribute the Package in a more-or-less customary fashion, plus the right to make reasonable modifications. Definitions: - "Package" refers to the collection of files distributed by the Copyright Holder, and derivatives of that collection of files created through textual modification. - "Standard Version" refers to such a Package if it has not been modified, or has been modified in accordance with the wishes of the Copyright Holder. - "Copyright Holder" is whoever is named in the copyright or copyrights for the package. - "You" is you, if you're thinking about copying or distributing this Package. - "Reasonable copying fee" is whatever you can justify on the basis of media cost, duplication charges, time of people involved, and so on. (You will not be required to justify it to the Copyright Holder, but only to the computing community at large as a market that must bear the fee.) - "Freely Available" means that no fee is charged for the item itself, though there may be fees involved in handling the item. It also means that recipients of the item may redistribute it under the same conditions they received it. 1. You may make and give away verbatim copies of the source form of the Standard Version of this Package without restriction, provided that you duplicate all of the original copyright notices and associated disclaimers. 2. You may apply bug fixes, portability fixes and other modifications derived from the Public Domain or from the Copyright Holder. A Package modified in such a way shall still be considered the Standard Version. 3. You may otherwise modify your copy of this Package in any way, provided that you insert a prominent notice in each changed file stating how and when you changed that file, and provided that you do at least ONE of the following: a) place your modifications in the Public Domain or otherwise make them Freely Available, such as by posting said modifications to Usenet or an equivalent medium, or placing the modifications on a major archive site such as ftp.uu.net, or by allowing the Copyright Holder to include your modifications in the Standard Version of the Package. b) use the modified Package only within your corporation or organization. c) rename any non-standard executables so the names do not conflict with standard executables, which must also be provided, and provide a separate manual page for each non-standard executable that clearly documents how it differs from the Standard Version. d) make other distribution arrangements with the Copyright Holder. 4. You may distribute the programs of this Package in object code or executable form, provided that you do at least ONE of the following: a) distribute a Standard Version of the executables and library files, together with instructions (in the manual page or equivalent) on where to get the Standard Version. b) accompany the distribution with the machine-readable source of the Package with your modifications. c) accompany any non-standard executables with their corresponding Standard Version executables, giving the non-standard executables non-standard names, and clearly documenting the differences in manual pages (or equivalent), together with instructions on where to get the Standard Version. d) make other distribution arrangements with the Copyright Holder. 5. You may charge a reasonable copying fee for any distribution of this Package. You may charge any fee you choose for support of this Package. You may not charge a fee for this Package itself. However, you may distribute this Package in aggregate with other (possibly commercial) programs as part of a larger (possibly commercial) software distribution provided that you do not advertise this Package as a product of your own. 6. The scripts and library files supplied as input to or produced as output from the programs of this Package do not automatically fall under the copyright of this Package, but belong to whomever generated them, and may be sold commercially, and may be aggregated with this Package. 7. C or perl subroutines supplied by you and linked into this Package shall not be considered part of this Package. 8. The name of the Copyright Holder may not be used to endorse or promote products derived from this software without specific prior written permission. 9. THIS PACKAGE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. The End Plack-Middleware-CrossOrigin-0.014/Changes0000644000000000000000000000325113437446537020515 0ustar00rootwheel00000000000000Revision history for Plack-Middleware-CrossOrigin 0.014 - 2019-03-05 - fix wildcards being able to match numbers 0.013 - 2019-02-14 - Allow using wildcards inside origins to match partial host names - Convert packaging from Dist::Zilla to Distar - Always add a "Vary: Origin" header to avoid issues with caches 0.012 Dec 07 2014 - Include real change log entry for 0.011 0.011 Dec 07 2014 - Use single comma separated headers rather than multiple headers for better compatibility with IE 0.010 Aug 15 2014 - updated to match spec, with only one origin - specify minimum perl version 0.009 Feb 20 2013 - Suppress warnings when checking for buggy WebKit browsers. (Dave Rolsky) 0.008 Jan 29 2013 - Updated browser support documentation. 0.007 Sep 12 2011 - Add continue_on_failure to allow requests to be processed as if the module was not used. - Note required version of Test::More - Fix POD formatting 0.006 Jun 16 2011 - Only apply WebKit workaround to older versions - additional documentation and references, including notes on CSRF protection - Added a psgi script to help test browser behavior 0.005 Mar 16 2011 - Add a workaround for WebKit browsers with preflighted GET requests. 0.004 Feb 08 2011 - Allow setting expose_headers to * to allow all headers. - Fix cross origin OPTIONS requests. - Include all default HTTP and WebDAV methods by default. - Include common WebDAV and web framework headers as allowed headers by default. 0.003 Sep 22 2010 - Fixed handling of expose_headers 0.002 Sep 21 2010 - Fixed handling of allowed headers 0.001 Sep 19 2010 - Initial release Plack-Middleware-CrossOrigin-0.014/MANIFEST0000644000000000000000000000072313437446561020351 0ustar00rootwheel00000000000000Changes lib/Plack/Middleware/CrossOrigin.pm maint/Makefile.PL.include Makefile.PL MANIFEST This list of files t/basic.t xt/pod-coverage.t xt/pod-syntax.t META.yml Module YAML meta-data (added by MakeMaker) META.json Module JSON meta-data (added by MakeMaker) README README file (added by Distar) LICENSE LICENSE file (added by Distar) Plack-Middleware-CrossOrigin-0.014/t/0000755000000000000000000000000013437446560017460 5ustar00rootwheel00000000000000Plack-Middleware-CrossOrigin-0.014/t/basic.t0000644000000000000000000003474213437446362020740 0ustar00rootwheel00000000000000use strict; use warnings; use Test::More 0.88; use Plack::Middleware::CrossOrigin; use Plack::Test; use Plack::Builder; test_psgi app => builder { enable 'CrossOrigin', origins => '*', headers => '*', methods => '*', credentials => 0, max_age => 60*60*24*30, expose_headers => 'X-Exposed-Header', ; sub { [ 200, [ 'Content-Type' => 'text/plain' ], [ 'Hello World' ] ] }; }, client => sub { my $cb = shift; my $req; my $res; $req = HTTP::Request->new(GET => 'http://localhost/'); $res = $cb->($req); is $res->header('Access-Control-Allow-Origin'), undef, 'No CORS headers added with no Origin header'; is $res->header('Vary'), 'Origin', '... but Vary header added'; $req = HTTP::Request->new(GET => 'http://localhost/', [ 'Origin' => 'http://www.example.com', ]); $res = $cb->($req); is $res->header('Access-Control-Allow-Origin'), '*', 'Access-Control-Allow-Origin header added'; is $res->header('Access-Control-Expose-Headers'), 'X-Exposed-Header', 'Access-Control-Expose-Headers header added'; is $res->header('Access-Control-Max-Age'), undef, 'No Max-Age header for simple request'; is $res->header('Vary'), 'Origin', 'Vary header added'; is $res->content, 'Hello World', "CORS handling doesn't interfere with request content"; $req = HTTP::Request->new(OPTIONS => 'http://localhost/', [ 'Access-Control-Request-Method' => 'POST', 'Origin' => 'http://www.example.com', ]); $res = $cb->($req); is $res->header('Access-Control-Allow-Origin'), '*', 'Access-Control-Allow-Origin header added for preflight'; is $res->header('Access-Control-Allow-Methods'), 'POST', 'Access-Control-Allow-Methods header added for preflight'; is $res->header('Vary'), 'Origin', 'Vary header added for preflight'; is $res->header('Access-Control-Max-Age'), 60*60*24*30, 'Max-Age header added for preflight'; $req = HTTP::Request->new(OPTIONS => 'http://localhost/', [ 'Access-Control-Request-Method' => 'POST', 'Access-Control-Request-Headers' => 'X-Extra-Header', 'Origin' => 'http://www.example.com', ]); $res = $cb->($req); ok $res->header('Access-Control-Allow-Origin'), 'Request with extra headers allowed'; is $res->header('Vary'), 'Origin', 'Vary header added'; $req = HTTP::Request->new(GET => 'http://localhost/', [ 'Referer' => 'http://www.example.com/page', 'User-Agent' => 'AppleWebKit/534.16', ]); $res = $cb->($req); is $res->header('Access-Control-Allow-Origin'), '*', 'Buggy GET request from WebKit includes Allow-Origin header'; is $res->header('Vary'), 'Origin', 'Vary header added'; $req = HTTP::Request->new(GET => 'http://localhost/', [ 'Referer' => 'http://www.example.com/page', 'User-Agent' => 'AppleWebKit/534.19', ]); $res = $cb->($req); is $res->header('Access-Control-Allow-Origin'), undef, 'New versions of WebKit don\'t trigger referer workaround'; is $res->header('Vary'), 'Origin', 'Vary header added'; my @warnings; local $SIG{__WARN__} = sub { push @warnings, join '', @_ }; $req = HTTP::Request->new(GET => 'http://localhost/', [ 'User-Agent' => 'AppleWebKit/534.16', ]); $res = $cb->($req); is $res->header('Access-Control-Allow-Origin'), undef, 'Buggy GET request from WebKit without Referer does not include Allow-Origin header'; is $res->header('Vary'), 'Origin', 'Vary header added'; is_deeply \@warnings, [], 'No warnings from buggy WebKit request'; }; test_psgi app => builder { enable 'CrossOrigin', origins => [ 'http://www.example.com' ], methods => ['GET', 'POST'], headers => ['X-Extra-Header', 'X-Extra-Header-2'], max_age => 60*60*24*30, expose_headers => '*', ; sub { [ 200, [ 'Content-Type' => 'text/plain', 'X-Some-Other-Header' => 'true', ], [ 'Hello World' ] ] }; }, client => sub { my $cb = shift; my $req; my $res; $req = HTTP::Request->new(OPTIONS => 'http://localhost/', [ 'Access-Control-Request-Method' => 'POST', 'Access-Control-Request-Headers' => 'X-Extra-Header', 'Origin' => 'http://www.example.com', ]); $res = $cb->($req); ok $res->header('Access-Control-Allow-Origin'), 'Request with explicitly listed extra header allowed'; is $res->header('Access-Control-Allow-Origin'), 'http://www.example.com', 'Explicitly listed origin returned'; is $res->header('Access-Control-Allow-Headers'), 'X-Extra-Header, X-Extra-Header-2', 'Allowed headers returned'; is $res->header('Access-Control-Allow-Methods'), 'GET, POST', 'Allowed methods returned'; is $res->header('Vary'), 'Origin', 'Vary header added'; $req = HTTP::Request->new(OPTIONS => 'http://localhost/', [ 'Access-Control-Request-Method' => 'POST', 'Access-Control-Request-Headers' => 'X-Extra-Header-Other', 'Origin' => 'http://www.example.com', ]); $res = $cb->($req); is $res->header('Access-Control-Allow-Origin'), undef, 'Request with unmatched extra header rejected'; is $res->header('Vary'), 'Origin', 'Vary header added'; $req = HTTP::Request->new(OPTIONS => 'http://localhost/', [ 'Access-Control-Request-Method' => 'POST', 'Origin' => 'http://www.example2.com', ]); $res = $cb->($req); is $res->header('Access-Control-Allow-Origin'), undef, 'Request with unmatched origin rejected'; is $res->header('Vary'), 'Origin', 'Vary header added'; $req = HTTP::Request->new(OPTIONS => 'http://localhost/', [ 'Access-Control-Request-Method' => 'DELETE', 'Origin' => 'http://www.example.com', ]); $res = $cb->($req); is $res->header('Access-Control-Allow-Origin'), undef, 'Request with unmatched method rejected'; is $res->header('Vary'), 'Origin', 'Vary header added'; $req = HTTP::Request->new(OPTIONS => 'http://localhost/', [ 'Origin' => 'http://www.example.com', ]); $res = $cb->($req); is $res->content, 'Hello World', 'OPTIONS request without Allow-Origin processes as normal'; is $res->header('Access-Control-Expose-Headers'), 'Vary, X-Some-Other-Header', 'Wildcard expose headers returned'; is $res->header('Vary'), 'Origin', 'Vary header added'; $req = HTTP::Request->new(GET => 'http://localhost/', [ 'Referer' => 'http://www.example.com/page', 'User-Agent' => 'AppleWebKit/534.16', ]); $res = $cb->($req); is $res->header('Access-Control-Allow-Origin'), 'http://www.example.com', 'Buggy GET request from WebKit includes Allow-Origin header based on referer'; is $res->header('Vary'), 'Origin', 'Vary header added'; $req = HTTP::Request->new(GET => 'http://localhost/', [ 'Referer' => 'http://www.example.com/page', 'User-Agent' => 'AppleWebKit/534.19', ]); $res = $cb->($req); is $res->header('Access-Control-Allow-Origin'), undef, 'New versions of WebKit don\'t trigger referer workaround'; is $res->header('Vary'), 'Origin', 'Vary header added'; }; test_psgi app => builder { enable 'CrossOrigin', origins => '*', methods => '*', credentials => 1, ; sub { [ 200, [ 'Content-Type' => 'text/plain' ], [ 'Hello World' ] ] }; }, client => sub { my $cb = shift; my $req; my $res; $req = HTTP::Request->new(OPTIONS => 'http://localhost/', [ 'Access-Control-Request-Method' => 'POST', 'Origin' => 'http://www.example.com', ]); $res = $cb->($req); is $res->header('Access-Control-Allow-Credentials'), 'true', 'Resource with credentials adds correct header'; is $res->header('Access-Control-Allow-Origin'), 'http://www.example.com', '... and an explicit origin'; is $res->header('Vary'), 'Origin', '... and the Vary header'; }; my $has_run; test_psgi app => builder { enable 'CrossOrigin', origins => 'http://localhost', ; sub { $has_run = 1; [ 200, [ 'Content-Type' => 'text/plain' ], [ 'Hello World' ] ]; }; }, client => sub { my $cb = shift; my $req; my $res; $req = HTTP::Request->new(POST => 'http://localhost/', [ 'Origin' => 'http://www.example.com', ]); $res = $cb->($req); is $res->code, 403, 'Disallowed simple request returns 403 error'; ok ! $has_run, ' ... and aborts before running main app'; is $res->header('Vary'), 'Origin', ' ... but still adds the Vary header'; $has_run = 0; $req = HTTP::Request->new(GET => 'http://localhost/', [ 'Referer' => 'http://www.example.com/page', 'User-Agent' => 'AppleWebKit/534.16', ]); $res = $cb->($req); ok $has_run, 'WebKit workaround always allows app to run'; is $res->header('Vary'), 'Origin', 'Vary header added'; }; test_psgi app => builder { enable 'CrossOrigin', origins => 'http://localhost', continue_on_failure => 1, ; sub { $has_run = 1; [ 200, [ 'Content-Type' => 'text/plain' ], [ 'Hello World' ] ]; }; }, client => sub { my $cb = shift; my $req; my $res; $has_run = 0; $req = HTTP::Request->new(POST => 'http://localhost/', [ 'Origin' => 'http://www.example.com', ]); $res = $cb->($req); ok $has_run, 'continue_on_failure allows main app to run for simple requests'; is $res->code, 200, ' ... and passes through results'; is $res->header('Access-Control-Allow-Origin'), undef, ' ... and doesn\'t add headers to allow CORS'; is $res->header('Vary'), 'Origin', ' ... but adds the Vary header'; $has_run = 0; $req = HTTP::Request->new(OPTIONS => 'http://localhost/', [ 'Access-Control-Request-Method' => 'POST', 'Origin' => 'http://www.example.com', ]); $res = $cb->($req); ok ! $has_run, 'continue_on_failure doesn\'t run main app for preflighted request'; is $res->header('Vary'), 'Origin', ' ... but adds the Vary header'; }; { my @headers = ('Content-Type' => 'text/plain', 'Vary' => 'Accept-Language'); test_psgi app => builder { enable 'CrossOrigin', origins => 'http://localhost', ; sub { [ 200, [ @headers ], [ 'Hello World' ] ]; }; }, client => sub { my $cb = shift; my $req; my $res; $req = HTTP::Request->new(GET => 'http://localhost/', [ 'Origin' => 'http://localhost', ]); $res = $cb->($req); is $res->header('Vary'), 'Accept-Language, Origin', 'Vary header extended'; unshift @headers, 'Vary' => 'Origin'; $req = HTTP::Request->new(GET => 'http://localhost/', [ 'Origin' => 'http://localhost', ]); $res = $cb->($req); is $res->header('Vary'), 'Origin, Accept-Language', 'Vary header not duplicated'; }; } { # Test that the access control headers are returned as single headers # with comma-separated values. IE 11 (at least) appears to only evaluate # the first 'Access-Control-Allow-Headers' header. # # We can't use test_psgi for this test because after the PSGI response # is parsed by HTTP::Response we can no longer tell how the headers were # actually formatted. my $app = builder { enable 'CrossOrigin', origins => [ 'http://www.example.com' ], methods => ['GET', 'POST'], headers => ['X-Extra-Header', 'X-Extra-Header-2'], expose_headers => ['X-Exposed-Header', 'X-Exposed-Header2'], ; sub { [ 200, [ 'Content-Type' => 'text/plain', ], [ 'Hello World' ] ] }; }; my $req = HTTP::Request->new(OPTIONS => 'http://localhost/', [ 'Access-Control-Request-Method' => 'POST', 'Origin' => 'http://www.example.com', ]); my $res = $app->($req->to_psgi); is_deeply($res, [ 200, [ 'Content-Type' => 'text/plain', 'Vary' => 'Origin', 'Access-Control-Allow-Origin' => 'http://www.example.com', 'Access-Control-Allow-Methods' => 'GET, POST', 'Access-Control-Allow-Headers' => 'X-Extra-Header, X-Extra-Header-2', 'Access-Control-Expose-Headers' => 'X-Exposed-Header, X-Exposed-Header2' ], [] ], 'headers returned as comma separated values for the benenfit of IE'); } test_psgi app => builder { enable 'CrossOrigin', origins => [ 'http://*.example.com' ], ; sub { [ 200, [ 'Content-Type' => 'text/plain', ], [ 'Hello World' ] ] }; }, client => sub { my $cb = shift; my $req; my $res; $req = HTTP::Request->new(GET => 'http://localhost/', [ 'Access-Control-Request-Method' => 'GET', 'Origin' => 'http://www.example.com', ]); $res = $cb->($req); is $res->header('Access-Control-Allow-Origin'), 'http://www.example.com', 'wildcard as partial domain allowed'; $req = HTTP::Request->new(GET => 'http://localhost/', [ 'Access-Control-Request-Method' => 'GET', 'Origin' => 'http://www2.example.com', ]); $res = $cb->($req); is $res->header('Access-Control-Allow-Origin'), 'http://www2.example.com', 'wildcard as partial domain matches numbers'; $req = HTTP::Request->new(GET => 'http://localhost/', [ 'Access-Control-Request-Method' => 'GET', 'Origin' => 'http://www.example2.com', ]); $res = $cb->($req); ok !$res->header('Access-Control-Allow-Origin'), 'non-matching origin not allowed with wildcard'; }, ; done_testing; Plack-Middleware-CrossOrigin-0.014/xt/0000755000000000000000000000000013437446560017650 5ustar00rootwheel00000000000000Plack-Middleware-CrossOrigin-0.014/xt/pod-syntax.t0000644000000000000000000000010413431272463022127 0ustar00rootwheel00000000000000use strict; use warnings; use Test::Pod 1.41; all_pod_files_ok(); Plack-Middleware-CrossOrigin-0.014/xt/pod-coverage.t0000644000000000000000000000023513431272463022401 0ustar00rootwheel00000000000000use strict; use warnings; use Test::Pod::Coverage 1.08; use Pod::Coverage::TrustPod; all_pod_coverage_ok({ coverage_class => 'Pod::Coverage::TrustPod' }); Plack-Middleware-CrossOrigin-0.014/README0000644000000000000000000002151413437446561020101 0ustar00rootwheel00000000000000NAME Plack::Middleware::CrossOrigin - Adds headers to allow Cross-Origin Resource Sharing SYNOPSIS # Allow any WebDAV or standard HTTP request from any location. builder { enable 'CrossOrigin', origins => '*'; $app; }; # Allow GET and POST requests from any location, cache results for 30 days. builder { enable 'CrossOrigin', origins => '*', methods => ['GET', 'POST'], max_age => 60*60*24*30; $app; }; DESCRIPTION Adds Cross Origin Request Sharing headers used by modern browsers to allow "XMLHttpRequest" to work across domains. This module will also help protect against CSRF attacks in some browsers. This module attempts to fully conform to the CORS spec, while allowing additional flexibility in the values specified for the of the headers. The module also ensures that the response contains a "Vary: Origin" header to avoid potential issues with caches. CORS REQUESTS IN BRIEF There are two types of CORS requests. Simple requests, and preflighted requests. Simple Requests A simple request is one that could be generated by a standard HTML form. Either a "GET" or "POST" request, with no additional headers. For these requests, the server processes the request as normal, and attaches the correct CORS headers in the response. The browser then decides based on those headers whether to allow the client script access to the response. Preflighted Requests If additional headers are specified, or a method other than "GET" or "POST" is used, the request must be preflighted. This means that the browser will first send a special request to the server to check if access is allowed. If the server allows it by responding with the correct headers, the actual request is then performed. CSRF Protection Some browsers will also provide same headers with cross domain "POST" requests from HTML forms. These requests will also be checked against the allowed origins and rejected before they reach the rest of your Plack application. CONFIGURATION origins A list of allowed origins. Origins should be formatted as a URL scheme and host, with no path information. ("http://www.example.com") '"*"' can be specified to allow access from any location. Wildcards ("*") can also be included in in the host to match any part of a host name (e.g. "https://*.example.com"). At least one origin must bust be specified for this middleware to have any effect. This will be matched against the "Origin" request header, and will control the "Access-Control-Allow-Origin" response header. If the origin does not match, the request is aborted. headers A list of allowed request headers. '"*"' can be specified to allow any headers. Controls the "Access-Control-Allow-Headers" response header. Includes a set of headers by default to simplify working with WebDAV and AJAX frameworks: * "Cache-Control" * "Depth" * "If-Modified-Since" * "User-Agent" * "X-File-Name" * "X-File-Size" * "X-Prototype-Version" * "X-Requested-With" methods A list of allowed methods. '"*"' can be specified to allow any methods. Controls the "Access-Control-Allow-Methods" response header. Defaults to all of the standard HTTP and WebDAV methods. max_age The max length in seconds to cache the response data for. Controls the "Access-Control-Max-Age" response header. If not specified, the web browser will decide how long to use. expose_headers A list of allowed headers to expose to the client. '"*"' can be specified to allow the browser to see all of the response headers. Controls the "Access-Control-Expose-Headers" response header. credentials Whether the resource will be allowed with user credentials (cookies, HTTP authentication, and client-side SSL certificates) supplied. Controls the "Access-Control-Allow-Credentials" response header. continue_on_failure Normally, simple requests with an Origin that hasn't been allowed will be stopped before they continue to the main app. If this option is set, the request will be allowed to continue, but no CORS headers will be added to the response. This matches how non-allowed requests would be handled if this module was not used at all. This disables the CSRF protection and is not recommended. It could be needed for applications that need to allow cross-origin HTML form "POST"s without whitelisting domains. BROWSER SUPPORT Different browsers have different levels of support for CORS headers. Gecko (Firefox, Seamonkey) Initially supported in Gecko 1.9.1 (Firefox 3.5). Supports the complete CORS spec for "XMLHttpRequest"s. Does not yet provide the "Origin" header for CSRF protection (Bugzilla #446344 ). WebKit (Safari, Google Chrome) Initially supported in Safari 4 and Chrome 3. Supports the complete CORS spec. The "expose_headers" feature has been supported since WebKit v535.18 (Safari 6, Chrome 18). Preflighted requests were buggy prior to WebKit v534.19 (Safari 5.1, Chrome 11), but this module uses a workaround where possible (using the "Referer" header). Also provides the "Origin" header for CSRF protection starting with WebKit v528.5 (Chrome 2, Safari 4). Internet Explorer Initially supported in IE8. Not supported with the standard "XMLHttpRequest" object. A separate object, "XDomainRequest", must be used. Only "GET" and "POST" methods are allowed. No extra headers can be added to the request. Neither the status code or any headers aside from "Content-Type" can be retrieved from the response. IE10 supports CORS via the standard "XMLHttpRequest" object. Opera Opera and Opera Mobile support CORS since version 12. SEE ALSO CORS Resources * W3C Spec for Cross-Origin Resource Sharing * W3C Spec for Cross-Origin Resource Sharing - Implementation Considerations * Mozilla Developer Center - HTTP Access Control * Mozilla Developer Center - Server-Side Access Control * Cross browser examples of using CORS requests * MSDN - XDomainRequest Object * XDomainRequest - Restrictions, Limitations and Workarounds * Wikipedia - Cross-Origin Resource Sharing * CORS advocacy CSRF Resources * Wikipedia - Cross-site request forgery * Stanford Web Security Research - Cross-Site Request Forgery * WebKit Bugzilla - Add origin header to POST requests * Mozilla Bugzilla - Implement Origin header CSRF mitigation Related Technologies * Cross-domain policy file for Flash * Wikipedia - JSONP AUTHOR Graham Knop COPYRIGHT AND LICENSE This software is copyright (c) 2011 by Graham Knop. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. AUTHOR haarg - Graham Knop (cpan:HAARG) CONTRIBUTORS None so far. COPYRIGHT Copyright (c) 2011 the Plack::Middleware::CrossOrigin "AUTHOR" and "CONTRIBUTORS" as listed above. LICENSE This library is free software and may be distributed under the same terms as perl itself. Plack-Middleware-CrossOrigin-0.014/META.yml0000644000000000000000000000171013437446560020465 0ustar00rootwheel00000000000000--- abstract: 'Adds headers to allow Cross-Origin Resource Sharing' author: - 'haarg - Graham Knop (cpan:HAARG) ' build_requires: Plack::App::File: '0' Plack::Builder: '0' Plack::Request: '0' Plack::Test: '0' Socket: '0' Test::More: '0.88' configure_requires: {} dynamic_config: 1 generated_by: 'ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010' license: perl meta-spec: url: http://module-build.sourceforge.net/META-spec-v1.4.html version: '1.4' name: Plack-Middleware-CrossOrigin no_index: directory: - t - xt requires: Plack::Middleware: '0' Plack::Util: '0' Plack::Util::Accessor: '0' parent: '0' perl: '5.008' resources: bugtracker: https://github.com/haarg/Plack-Middleware-CrossOrigin/issues license: http://dev.perl.org/licenses/ repository: https://github.com/haarg/Plack-Middleware-CrossOrigin.git version: '0.014' x_serialization_backend: 'CPAN::Meta::YAML version 0.018' Plack-Middleware-CrossOrigin-0.014/lib/0000755000000000000000000000000013437446560017763 5ustar00rootwheel00000000000000Plack-Middleware-CrossOrigin-0.014/lib/Plack/0000755000000000000000000000000013437446560021015 5ustar00rootwheel00000000000000Plack-Middleware-CrossOrigin-0.014/lib/Plack/Middleware/0000755000000000000000000000000013437446560023072 5ustar00rootwheel00000000000000Plack-Middleware-CrossOrigin-0.014/lib/Plack/Middleware/CrossOrigin.pm0000644000000000000000000003443713437446527025707 0ustar00rootwheel00000000000000package Plack::Middleware::CrossOrigin; use strict; use warnings; our $VERSION = '0.014'; $VERSION =~ tr/_//d; use 5.008; use parent qw(Plack::Middleware); use Plack::Util; use Plack::Util::Accessor qw( origins headers methods max_age expose_headers credentials continue_on_failure ); my @simple_headers = qw( Accept Accept-Language Content-Language ); my @simple_response_headers = qw( Cache-Control Content-Language Content-Type Expires Last-Modified Pragma ); my @common_headers = qw( Cache-Control Depth If-Modified-Since User-Agent X-File-Name X-File-Size X-Requested-With X-Prototype-Version ); # RFC 7231 my @http_methods = qw( GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE ); # RFC 5789 my @rfc_5789_methods = qw( PATCH ); my @webdav_methods = qw( CANCELUPLOAD CHECKIN CHECKOUT COPY DELETE GETLIB LOCK MKCOL MOVE OPTIONS PROPFIND PROPPATCH PUT REPORT UNCHECKOUT UNLOCK UPDATE VERSION-CONTROL ); my @all_methods = ( @http_methods, @rfc_5789_methods, @webdav_methods ); sub prepare_app { my ($self) = @_; $self->origins([$self->origins || ()]) unless ref $self->origins; $self->methods([$self->methods || @all_methods]) unless ref $self->methods; $self->headers([$self->headers || @common_headers]) unless ref $self->headers; $self->expose_headers([$self->expose_headers || ()]) unless ref $self->expose_headers; $self->{origins_h} = { map { $_ => 1 } @{ $self->origins } }; ($self->{origins_re}) = map qr/\A(?:$_)\z/, join '|', map +( join '[a-z0-9.-]*', map quotemeta, split /\*/, $_, -1 ), @{ $self->origins }; $self->{methods_h} = { map { $_ => 1 } @{ $self->methods } }; $self->{headers_h} = { map { lc $_ => 1 } @{ $self->headers } }; $self->{expose_headers_h} = { map { $_ => 1 } @{ $self->expose_headers } }; } sub call { my ($self, $env) = @_; my $origin = $env->{HTTP_ORIGIN}; my $continue_on_failure; if ($origin) { $continue_on_failure = $self->continue_on_failure; } # for preflighted GET requests, some WebKit versions don't # include Origin with the actual request. Fixed in current versions # of WebKit, Chrome, and Safari. # Work around it using the Referer header. # https://bugs.webkit.org/show_bug.cgi?id=50773 # http://code.google.com/p/chromium/issues/detail?id=57836 elsif ($env->{REQUEST_METHOD} eq 'GET' && $env->{HTTP_USER_AGENT} && $env->{HTTP_USER_AGENT} =~ m{\bAppleWebKit/(\d+\.\d+)} && $1 < 534.19 && $env->{HTTP_REFERER} && $env->{HTTP_REFERER} =~ m{\A ( \w+://[^/]+ )}msx ) { $origin = $1; $continue_on_failure = 1; } else { return _with_vary($self->app->($env)); } my $request_method = $env->{HTTP_ACCESS_CONTROL_REQUEST_METHOD}; my $request_headers = $env->{HTTP_ACCESS_CONTROL_REQUEST_HEADERS}; my @request_headers = $request_headers ? (split /,\s*/, $request_headers) : (); my $preflight = $env->{REQUEST_METHOD} eq 'OPTIONS' && $request_method; my $fail = $continue_on_failure && !$preflight ? $self->app : \&_response_forbidden; my $allowed_origins_h = $self->{origins_h}; my $allowed_methods = $self->methods; my $allowed_methods_h = $self->{methods_h}; my $allowed_headers = $self->headers; my $allowed_headers_h = $self->{headers_h}; my $expose_headers = $self->expose_headers; my $expose_headers_h = $self->{expose_headers_h}; my @headers; if (not ($allowed_origins_h->{'*'} || $origin =~ $self->{origins_re} ) ) { return _with_vary($fail->($env)); } if ($preflight) { if ( $allowed_methods_h->{'*'} ) { $allowed_methods = [$request_method]; } elsif ( ! $allowed_methods_h->{$request_method} ) { return _response_forbidden(); } if ( $allowed_headers_h->{'*'} ) { $allowed_headers = \@request_headers; } elsif ( grep { ! defined } @{$allowed_headers_h}{map lc, @request_headers} ) { return _response_forbidden(); } } if ($self->credentials) { push @headers, 'Access-Control-Allow-Credentials' => 'true'; } elsif ($allowed_origins_h->{'*'}) { $origin = '*'; } push @headers, 'Access-Control-Allow-Origin' => $origin; my $res; if ($preflight) { if (defined $self->max_age) { push @headers, 'Access-Control-Max-Age' => $self->max_age; } push @headers, 'Access-Control-Allow-Methods' => join ', ', @$allowed_methods; push @headers, 'Access-Control-Allow-Headers' => join ', ', @$allowed_headers; $res = _response_success(); } else { $res = $self->app->($env); } return $self->response_cb($res, sub { my $res = shift; if (! _vary_headers($res->[1])->{origin}) { push @{ $res->[1] }, 'Vary' => 'Origin'; } if ($expose_headers_h->{'*'}) { my %headers = @{ $res->[1] }; delete @headers{@simple_response_headers}; $expose_headers = [sort keys %headers]; } push @headers, 'Access-Control-Expose-Headers' => join ', ', @$expose_headers; push @{ $res->[1] }, @headers; }); } sub _response_forbidden { [403, ['Content-Type' => 'text/plain', 'Content-Length' => 9, 'Vary' => 'Origin'], ['forbidden']]; } sub _response_success { [200, [ 'Content-Type' => 'text/plain' ], [] ]; } sub _with_vary { my ($res) = @_; return Plack::Util::response_cb($res, sub { my $res = shift; if (! _vary_headers($res->[1])->{origin}) { push @{ $res->[1] }, 'Vary' => 'Origin'; } }); } sub _vary_headers { my ($headers) = @_; my %vary = map { s/\A\s+//; s/\s+\z//; ( lc, 1) } map +(split /,/), Plack::Util::header_get($headers, 'Vary'); return \%vary; } 1; __END__ =head1 NAME Plack::Middleware::CrossOrigin - Adds headers to allow Cross-Origin Resource Sharing =head1 SYNOPSIS # Allow any WebDAV or standard HTTP request from any location. builder { enable 'CrossOrigin', origins => '*'; $app; }; # Allow GET and POST requests from any location, cache results for 30 days. builder { enable 'CrossOrigin', origins => '*', methods => ['GET', 'POST'], max_age => 60*60*24*30; $app; }; =head1 DESCRIPTION Adds Cross Origin Request Sharing headers used by modern browsers to allow C to work across domains. This module will also help protect against CSRF attacks in some browsers. This module attempts to fully conform to the CORS spec, while allowing additional flexibility in the values specified for the of the headers. The module also ensures that the response contains a C header to avoid potential issues with caches. =head1 CORS REQUESTS IN BRIEF There are two types of CORS requests. Simple requests, and preflighted requests. =head2 Simple Requests A simple request is one that could be generated by a standard HTML form. Either a C or C request, with no additional headers. For these requests, the server processes the request as normal, and attaches the correct CORS headers in the response. The browser then decides based on those headers whether to allow the client script access to the response. =head2 Preflighted Requests If additional headers are specified, or a method other than C or C is used, the request must be preflighted. This means that the browser will first send a special request to the server to check if access is allowed. If the server allows it by responding with the correct headers, the actual request is then performed. =head1 CSRF Protection Some browsers will also provide same headers with cross domain C requests from HTML forms. These requests will also be checked against the allowed origins and rejected before they reach the rest of your Plack application. =head1 CONFIGURATION =over 8 =item origins A list of allowed origins. Origins should be formatted as a URL scheme and host, with no path information. (C) 'C<*>' can be specified to allow access from any location. Wildcards (C<*>) can also be included in in the host to match any part of a host name (e.g. C). At least one origin must bust be specified for this middleware to have any effect. This will be matched against the C request header, and will control the C response header. If the origin does not match, the request is aborted. =item headers A list of allowed request headers. 'C<*>' can be specified to allow any headers. Controls the C response header. Includes a set of headers by default to simplify working with WebDAV and AJAX frameworks: =over 4 =item * C =item * C =item * C =item * C =item * C =item * C =item * C =item * C =back =item methods A list of allowed methods. 'C<*>' can be specified to allow any methods. Controls the C response header. Defaults to all of the standard HTTP and WebDAV methods. =item max_age The max length in seconds to cache the response data for. Controls the C response header. If not specified, the web browser will decide how long to use. =item expose_headers A list of allowed headers to expose to the client. 'C<*>' can be specified to allow the browser to see all of the response headers. Controls the C response header. =item credentials Whether the resource will be allowed with user credentials (cookies, HTTP authentication, and client-side SSL certificates) supplied. Controls the C response header. =item continue_on_failure Normally, simple requests with an Origin that hasn't been allowed will be stopped before they continue to the main app. If this option is set, the request will be allowed to continue, but no CORS headers will be added to the response. This matches how non-allowed requests would be handled if this module was not used at all. This disables the CSRF protection and is not recommended. It could be needed for applications that need to allow cross-origin HTML form Cs without whitelisting domains. =back =head1 BROWSER SUPPORT Different browsers have different levels of support for CORS headers. =over 8 =item Gecko (Firefox, Seamonkey) Initially supported in Gecko 1.9.1 (Firefox 3.5). Supports the complete CORS spec for Cs. Does not yet provide the C header for CSRF protection (L). =item WebKit (Safari, Google Chrome) Initially supported in Safari 4 and Chrome 3. Supports the complete CORS spec. The C feature has been supported since WebKit v535.18 (Safari 6, Chrome 18). Preflighted requests were buggy prior to WebKit v534.19 (Safari 5.1, Chrome 11), but this module uses a workaround where possible (using the C header). Also provides the C header for CSRF protection starting with WebKit v528.5 (Chrome 2, Safari 4). =item Internet Explorer Initially supported in IE8. Not supported with the standard C object. A separate object, C, must be used. Only C and C methods are allowed. No extra headers can be added to the request. Neither the status code or any headers aside from C can be retrieved from the response. IE10 supports CORS via the standard C object. =item Opera Opera and Opera Mobile support CORS since version 12. =back =head1 SEE ALSO =head2 CORS Resources =over 4 =item * L =item * L =item * L =item * L =item * L =item * L =item * L =item * L =item * L =back =head2 CSRF Resources =over 4 =item * L =item * L =item * L =item * L =back =head2 Related Technologies =over 4 =item * L =item * L =back =head1 AUTHOR Graham Knop =head1 COPYRIGHT AND LICENSE This software is copyright (c) 2011 by Graham Knop. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. =head1 AUTHOR haarg - Graham Knop (cpan:HAARG) =head2 CONTRIBUTORS None so far. =head1 COPYRIGHT Copyright (c) 2011 the Plack::Middleware::CrossOrigin L and L as listed above. =head1 LICENSE This library is free software and may be distributed under the same terms as perl itself. =cut Plack-Middleware-CrossOrigin-0.014/Makefile.PL0000644000000000000000000000572213431272463021166 0ustar00rootwheel00000000000000use strict; use warnings FATAL => 'all'; use 5.008; my %META = ( name => 'Plack-Middleware-CrossOrigin', license => 'perl_5', prereqs => { configure => { requires => { } }, build => { requires => { } }, test => { requires => { 'Plack::App::File' => 0, 'Plack::Builder' => 0, 'Plack::Request' => 0, 'Plack::Test' => 0, 'Socket' => 0, 'Test::More' => '0.88', } }, runtime => { requires => { 'Plack::Middleware' => 0, 'Plack::Util' => 0, 'Plack::Util::Accessor' => 0, 'parent' => 0, 'perl' => '5.008', } }, develop => { requires => { 'Pod::Coverage::TrustPod' => 0, 'Test::Pod' => '1.41', 'Test::Pod::Coverage' => '1.08', } }, }, resources => { repository => { url => 'https://github.com/haarg/Plack-Middleware-CrossOrigin.git', web => 'https://github.com/haarg/Plack-Middleware-CrossOrigin', type => 'git', }, bugtracker => { web => 'https://github.com/haarg/Plack-Middleware-CrossOrigin/issues', }, license => [ 'http://dev.perl.org/licenses/' ], }, no_index => { directory => [ 't', 'xt' ] }, ); my %MM_ARGS = (); ## BOILERPLATE ############################################################### require ExtUtils::MakeMaker; (do './maint/Makefile.PL.include' or die $@) unless -f 'META.yml'; # have to do this since old EUMM dev releases miss the eval $VERSION line my $eumm_version = eval $ExtUtils::MakeMaker::VERSION; my $mymeta = $eumm_version >= 6.57_02; my $mymeta_broken = $mymeta && $eumm_version < 6.57_07; ($MM_ARGS{NAME} = $META{name}) =~ s/-/::/g; ($MM_ARGS{VERSION_FROM} = "lib/$MM_ARGS{NAME}.pm") =~ s{::}{/}g; $META{license} = [ $META{license} ] if $META{license} && !ref $META{license}; $MM_ARGS{LICENSE} = $META{license}[0] if $META{license} && $eumm_version >= 6.30; $MM_ARGS{NO_MYMETA} = 1 if $mymeta_broken; $MM_ARGS{META_ADD} = { 'meta-spec' => { version => 2 }, %META } unless -f 'META.yml'; $MM_ARGS{PL_FILES} ||= {}; $MM_ARGS{NORECURS} = 1 if not exists $MM_ARGS{NORECURS}; for (qw(configure build test runtime)) { my $key = $_ eq 'runtime' ? 'PREREQ_PM' : uc $_.'_REQUIRES'; my $r = $MM_ARGS{$key} = { %{$META{prereqs}{$_}{requires} || {}}, %{delete $MM_ARGS{$key} || {}}, }; defined $r->{$_} or delete $r->{$_} for keys %$r; } $MM_ARGS{MIN_PERL_VERSION} = delete $MM_ARGS{PREREQ_PM}{perl} || 0; delete $MM_ARGS{MIN_PERL_VERSION} if $eumm_version < 6.47_01; $MM_ARGS{BUILD_REQUIRES} = {%{$MM_ARGS{BUILD_REQUIRES}}, %{delete $MM_ARGS{TEST_REQUIRES}}} if $eumm_version < 6.63_03; $MM_ARGS{PREREQ_PM} = {%{$MM_ARGS{PREREQ_PM}}, %{delete $MM_ARGS{BUILD_REQUIRES}}} if $eumm_version < 6.55_01; delete $MM_ARGS{CONFIGURE_REQUIRES} if $eumm_version < 6.51_03; ExtUtils::MakeMaker::WriteMakefile(%MM_ARGS); ## END BOILERPLATE ########################################################### Plack-Middleware-CrossOrigin-0.014/maint/0000755000000000000000000000000013437446560020325 5ustar00rootwheel00000000000000Plack-Middleware-CrossOrigin-0.014/maint/Makefile.PL.include0000644000000000000000000000027213431272463023713 0ustar00rootwheel00000000000000BEGIN { -e 'Distar' or system("git clone git://git.shadowcat.co.uk/p5sagit/Distar.git") } use lib 'Distar/lib'; use Distar; author 'haarg - Graham Knop (cpan:HAARG) '; Plack-Middleware-CrossOrigin-0.014/META.json0000644000000000000000000000354613437446560020646 0ustar00rootwheel00000000000000{ "abstract" : "Adds headers to allow Cross-Origin Resource Sharing", "author" : [ "haarg - Graham Knop (cpan:HAARG) " ], "dynamic_config" : 1, "generated_by" : "ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010", "license" : [ "perl_5" ], "meta-spec" : { "url" : "http://search.cpan.org/perldoc?CPAN::Meta::Spec", "version" : 2 }, "name" : "Plack-Middleware-CrossOrigin", "no_index" : { "directory" : [ "t", "xt" ] }, "prereqs" : { "build" : { "requires" : {} }, "configure" : { "requires" : {} }, "develop" : { "requires" : { "Pod::Coverage::TrustPod" : "0", "Test::Pod" : "1.41", "Test::Pod::Coverage" : "1.08" } }, "runtime" : { "requires" : { "Plack::Middleware" : "0", "Plack::Util" : "0", "Plack::Util::Accessor" : "0", "parent" : "0", "perl" : "5.008" } }, "test" : { "requires" : { "Plack::App::File" : "0", "Plack::Builder" : "0", "Plack::Request" : "0", "Plack::Test" : "0", "Socket" : "0", "Test::More" : "0.88" } } }, "release_status" : "stable", "resources" : { "bugtracker" : { "web" : "https://github.com/haarg/Plack-Middleware-CrossOrigin/issues" }, "license" : [ "http://dev.perl.org/licenses/" ], "repository" : { "type" : "git", "url" : "https://github.com/haarg/Plack-Middleware-CrossOrigin.git", "web" : "https://github.com/haarg/Plack-Middleware-CrossOrigin" } }, "version" : "0.014", "x_serialization_backend" : "JSON::PP version 4.00" }