feat(cors): use safer api/public-only CORS configuration

closes #202
platanus · Feb 17, 2020 · a948012 · a948012
1 parent 5a63ff5
commit a948012
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,7 @@ Features:
   - Update ruby to 2.7.0 [#264](https://github.com/platanus/potassium/pull/264)
   - Add tailwindcss [#266](https://github.com/platanus/potassium/pull/266)
   - Update rack-cors to 1.1 [#269](https://github.com/platanus/potassium/pull/269)
+  - Use safer CORS configuration exposing only API and public resources [#271](https://github.com/platanus/potassium/pull/271)
 
 Fix:
   - Correctly use cache for bundle dependencies in CircleCI build [#244](https://github.com/platanus/potassium/pull/244) and [#258](https://github.com/platanus/potassium/pull/258)

diff --git a/lib/potassium/recipes/rack_cors.rb b/lib/potassium/recipes/rack_cors.rb
@@ -16,10 +16,11 @@ def rack_cors_config
       config.middleware.insert_before 0, Rack::Cors do
         allow do
           origins '*'
-          resource '*',
+          resource '/public/*', headers: :any, methods: :get
+          resource '/api/*',
             headers: :any,
             expose: ['X-Page', 'X-PageTotal'],
-            methods: [:get, :post, :delete, :put, :options]
+            methods: [:get, :post, :patch, :put, :delete, :options]
         end
       end