To do so, you'll first need to swap to using expressMiddleware (or any other Apollo Server integration). Depending on your use case, you might need to further customize your CORS behavior to ensure your server's security. The startStandaloneServer function's CORS configuration is unalterable and enables any website on the internet to tell a user's browser to connect to your server. Put another way, your server can specify which websites can tell a user's browser to talk to your server, and precisely which types of HTTP requests are allowed. Ĭross-Origin Resource Sharing (CORS) is an HTTP-header-based protocol that enables a server to dictate which origins can access its resources. For more information, see Preventing Cross-Site Request Forgery (CSRF). This feature requires that any client sending operations via GET or multipart upload requests must include a special header (such as Apollo-Require-Preflight ) in that request. □ By default, Apollo Server 4 ships with a feature that protects users from CSRF and XS-Search attacks. requestHeaders r ) - Process a CORS request - appl圜orsPolicy policy origin = do - The error continuation let err e = if corsIgnoreFailures policy then runApp else res $ corsFailure ( B8. Middleware #if MIN_VERSION_wai(3,0,0) cors policyPattern app r respond #else cors policyPattern app r #endif | Just policy ← policyPattern r = case hdrOrigin of - No origin header: requect request Nothing → if corsRequireOrigin policy then res $ corsFailure "Origin header is missing" else runApp - Origin header: apply CORS policy to request Just origin → appl圜orsPolicy policy origin | otherwise = runApp where #if MIN_VERSION_wai(3,0,0) res = respond runApp = app r respond #else res = return runApp = app r #endif - Lookup the HTTP origin request header - hdrOrigin = lookup "origin" ( WAI. Request → Maybe CorsResourcePolicy ) - ^ A value of 'Nothing' indicates that the resource is not available for CORS → WAI. * We may consider integrating CORS policy handling more closely with the - handling of the source, for instance by integrating with 'ActionM' from - scotty. * Even though slightly out of scope we may (optionally) check if - host header matches the actual host of the resource, since clients - using CORS may expect this, since this check is recommended in. TODO/ - * We may consider adding optional enforcment aspects to this module: we may - check if a request respects our origin restrictions and we may check that a - CORS request respects the restrictions that we publish in the preflight - responses. For application authors it is strongly recommended to take into account the - security considerations in section 6.3 of. The client is free to omit a preflight request or do - a preflight request in cases when it wouldn't be required. The implementation does not distinguish between simple requests and requests - that require preflight. Thus, - depending on the application, an actual request may still fail with 404 even - if the preflight request /supported/ the usage of the HTTP method with CORS. In particular for preflight requests the implementation returns - for the HTTP response headers and - all values specified in the - 'CorsResourcePolicy' together with the respective values for simple requests - (except This does not imply that the application actually - supports the respective values are for the requested resource. The OPTIONS method may return options for resources that are not actually - available. For all other cases a - match succeeds if and only if the ASCII serializations (as described in - RCF6454 section 6.2) are equal. Matches are done as follows: matches every origin. It is up to the inner WAI application to enforce such - policy and make sure that it is in accordance with the configuration of the - 'cors' middleware. This module does not implement any enforcement of - authorization policies that are possibly implied by the - 'CorsResourcePolicy'. In accordance with - that standard the role of the server side is to support the client to - enforce CORS restrictions. The current version of this module does only aim at compliance with the CORS - protocol as specified in. If the match fails with - 'Nothing' the request is passed unmodified to the inner application. The middleware is given a function that serves as a pattern to decide - whether a requested resource is available for CORS. | A Cross-Origin resource sharing (CORS) middleware. Src/Network/Wai/Middleware/Cors.hs - Copyright © 2014 AlephCloud Systems, Inc.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |