Documentation

Fields

• codecServerDecoder :: !(Namespace -> Maybe AuthorizationHeaderValue -> Payload -> ExceptT ErrorResponse IO Payload)
   
• codecServerEncoder :: !(Namespace -> Maybe AuthorizationHeaderValue -> Payload -> ExceptT ErrorResponse IO Payload)
   
• endpointBase :: [Text]

  Path segments

• corsPolicy :: CorsResourcePolicy
   

Fields

• corsOrigins :: !(Maybe ([Origin], Bool))

  HTTP origins that are allowed in CORS requests.

  A value of Nothing indicates unrestricted cross-origin sharing and results in * as value for the Access-Control-Allow-Origin HTTP response header. Note if you send *, credentials cannot be sent with the request.

  A value other than Nothing is a tuple that consists of a list of origins and a Boolean flag that indicates if credentials are used to access the resource via CORS.

  Origins must be formated as described in RFC6454 (section 6.2). In particular the string * is not a valid origin (but the string null is).

  Credentials include cookies, authorization headers and TLS client certificates. For credentials to be sent with requests, the withCredentials setting of XmlHttpRequest in the browser must be set to true.

• corsMethods :: ![Method]

  HTTP methods that are allowed in CORS requests.

• corsRequestHeaders :: ![HeaderName]

  Field names of HTTP request headers that are allowed in CORS requests. Header names that are included in simpleHeaders, except for content-type, are implicitly included and thus optional in this list.

• corsExposedHeaders :: !(Maybe [HeaderName])

  Field names of HTTP headers that are exposed to the client in the response.

• corsMaxAge :: !(Maybe Int)

  Number of seconds that the OPTIONS preflight response may be cached by the client.

  Tip: Set this to Nothing while testing your CORS implementation, then increase it once you deploy to production.

• corsVaryOrigin :: !Bool

  If the resource is shared by multiple origins but Access-Control-Allow-Origin is not set to * this may be set to True to cause the server to include a Vary: Origin header in the response, thus indicating that the value of the Access-Control-Allow-Origin header may vary between different requests for the same resource. This prevents caching of the responses which may not apply accross different origins.

• corsRequireOrigin :: !Bool

  If this is True and the request does not include an Origin header the response has HTTP status 400 (bad request) and the body contains a short error message.

  If this is False and the request does not include an Origin header the request is passed on unchanged to the application.

  Since: wai-cors-0.2

• corsIgnoreFailures :: !Bool

  In the case that

  • the request contains an Origin header and
  • the client does not conform with the CORS protocol (request is out of scope)

  then

  • the request is passed on unchanged to the application if this field is True or
  • an response with HTTP status 400 (bad request) and short error message is returned if this field is False.

  Note: Your application needs to will receive preflight OPTIONS requests if set to True.

  Since: wai-cors-0.2

Fields

• errorStatus :: Status
   
• errorMessage :: String
   

Fields

• payloadData :: ByteString
   
• payloadMetadata :: Map Text ByteString