1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
# Change Log
All notable changes to this project will be documented in this file.
## 3.0.0 - 2025-05-16
### Changed
- Update Rack dependency to >= 3.0.14
- Remove support for Ruby 2.3
- Add logger as explicit dependency
## 2.0.2 - 2024-03-04
### Changed
- Fix file permission issues with 2.0.1 release
- Security: Fixes CVE-2024-27456, GHSA-785g-282q-pwvx
## 2.0.1 - 2023-02-17
### Changed
- Use Rack::Utils::HeaderHash when Rack 2.x is detected
## 2.0.0 - 2023-02-14
### Changed
- Refactored codebase
- Support declaring custom protocols in origin
- Lowercased header names as defined by Rack spec
- Fix issue with duplicate headers because of header name case
## 1.1.1 - 2019-12-29
### Changed
- Allow /<resource>/* to match /<resource>/ and /<resource> paths
## 1.1.0 - 2019-11-19
### Changed
- Use Rack::Utils.escape_path instead of Rack::Utils.escape
- Require Rack 2.0 for escape_path method
- Don't try to clean path if invalid.
- Return 400 (Bad Request) on preflights with invalid path
## 1.0.6 - 2019-11-14
### Changed
- Use Rack::Utils.escape to make compat with Rack 1.6.0
## 1.0.5 - 2019-11-14
### Changed
- Update Gem spec to require rack >= 1.6.0
## 1.0.4 - 2019-11-13
### Security
- Escape and resolve path before evaluating resource rules (thanks to Colby Morgan)
## 1.0.3 - 2019-03-24
### Changed
- Don't send 'Content-Type' header with pre-flight requests
- Allow ruby array for vary header config
## 1.0.2 - 2017-10-22
### Fixed
- Automatically allow simple headers when headers are set
## 1.0.1 - 2017-07-18
### Fixed
- Allow lambda origin configuration
## 1.0.0 - 2017-07-15
### Security
- Don't implicitly accept 'null' origins when 'file://' is specified
(https://github.com/cyu/rack-cors/pull/134)
- Ignore '' origins (https://github.com/cyu/rack-cors/issues/139)
- Default credentials option on resources to false
(https://github.com/cyu/rack-cors/issues/95)
- Don't allow credentials option to be true if '*' is specified is origin
(https://github.com/cyu/rack-cors/pull/142)
- Don't reflect Origin header when '*' is specified as origin
(https://github.com/cyu/rack-cors/pull/142)
### Fixed
- Don't respond immediately on non-matching preflight requests instead of
sending them through the app (https://github.com/cyu/rack-cors/pull/106)
## 0.4.1 - 2017-02-01
### Fixed
- Return miss result in X-Rack-CORS instead of incorrectly returning
preflight-hit
## 0.4.0 - 2015-04-15
### Changed
- Don't set HTTP_ORIGIN with HTTP_X_ORIGIN if nil
### Added
- Calculate vary headers for non-CORS resources
- Support custom vary headers for resource
- Support :if option for resource
- Support :any as a possible value for :methods option
### Fixed
- Don't symbolize incoming HTTP request methods
## 0.3.1 - 2014-12-27
### Changed
- Changed the env key to rack.cors to avoid Rack::Lint warnings
## 0.3.0 - 2014-10-19
### Added
- Added support for defining a logger with a Proc
- Return a X-Rack-CORS header when in debug mode detailing how Rack::Cors
processed a request
- Added support for non HTTP/HTTPS origins when just a domain is specified
### Changed
- Changed the log level of the fallback logger to DEBUG
- Print warning when attempting to use :any as an allowed method
- Treat incoming `Origin: null` headers as file://
|
