ilusm.dev

cors

CORS middleware for ilusm HTTP servers - configure allowed origins, methods, headers, credentials flag, and max-age preflight cache; generate correct preflight (204) and normal CORS response headers; wrap handlers as middleware; check request origin against an allow-list.

Load with: use cors

What this module does

cors provides everything needed to add Cross-Origin Resource Sharing support to an ilusm HTTP server. Create a config object with corsc, adjust the allowed origin, methods, and headers, then wrap your handler with corsm to produce a new handler that automatically handles OPTIONS preflight requests and attaches the correct Access-Control-* headers to every response.

Quick example

use cors
use wf

app = wf.new()

# Build a permissive CORS config
cfg = corsc()

# Restrict to a specific origin
cfg = coror(cfg, "https://app.example.com")

# Enable credentials (for cookies / auth headers)
cfg = corsc(cfg)

# Wrap a handler with CORS middleware
handler = corsm(cfg)(\(req, res)
    res.b = "Hello"
    res
)

app.get("/api", handler)

Functions

Config

corsc()

Creates a default CORS config: origin: "*", all standard methods, headers: ["*"], credentials: fls, max-age: 86400 seconds (24 hours).

coror(config, origin)

Sets the allowed origin. Use "*" for public APIs or a specific URL like "https://app.example.com" when credentials are needed.

cormt(config, methods)

Sets the list of allowed HTTP methods, e.g. ["GET", "POST"].

corsh(config, headers)

Sets the list of allowed request headers, e.g. ["Content-Type", "Authorization"].

corsa(config, seconds)

Sets the preflight cache duration (Access-Control-Max-Age) in seconds.

corsc(config)

Enables Access-Control-Allow-Credentials: true. Required when sending cookies or auth headers cross-origin. Note: incompatible with origin: "*".

Header generation

corsp(config)

Generates a full preflight response object for an OPTIONS request: status 204, with Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, Access-Control-Max-Age, and optionally Access-Control-Allow-Credentials.

corsh(config)

Generates the subset of CORS headers for a normal (non-preflight) response: Access-Control-Allow-Origin, optional Access-Control-Allow-Credentials, and Vary: Origin.

Middleware

corsm(config)

Returns a curried middleware factory: corsm(cfg)(handler) produces a new handler that:

  1. Checks the Origin header and rejects (403) requests from disallowed origins when the config restricts them.
  2. Handles OPTIONS preflight requests by returning the preflight response directly.
  3. For all other requests, merges CORS headers into the response and passes through to the original handler.

Origin check

corso(request, allowed_origins)

Checks whether a request's Origin header is in an explicit allow-list. Returns tru if no Origin header is present (same-origin), if "*" is in the list, or if the origin matches. Returns fls otherwise. Useful for manual CORS checks outside of the middleware.

Notes

  • Never use origin: "*" together with credentials: true - browsers will block such responses.
  • Requires trl and txt.