Cross-Origin Resource Sharing (CORS) per endpoint

[avelino]

this discussion gave rise to this issue #123 and PR #131 (review)

Specification moclojer is done per endpoint not per host (and within the endpoint we declare which host will answer the endpoint).

Given this default behavior of the specification, we have to configure CORS per endpoint not per domain.

proposal

node: endpoint.cors
default: * usually mock is used in the development process and it tends not to be a problem to have "cross host attack".

Being possible to declare a list of hosts or without access to CORS:

• hostlist: [google.com, moclojer.com]
• CORS disabled: nil

example:

- endpoint:
    method: GET
    path: /hello/:username
    cors: *
    response:
      status: 200
      headers:
        Content-Type: application/json
      body: >
        {
          "hello": "{{path-params.username}}!"
        }

[rodweb]

I would prefer to avoid repeating the same thing for every endpoint. I think we should make use of hierarchy.

cors: [moclojer.com]
endpoints:
  - method: GET
    path: /hello/:username
    cors: *
    response:
      status: 200
      headers:
        Content-Type: application/json
      body: >
        {
          "hello": "{{path-params.username}}!"
        }

We'll still have the flexibility to override any config for each endpoint. Plus, by making the root of the spec an object, we'll have an easier time evolving the spec for these kinds of things that can be configured globally.

[matheusfrancisco]

I do like this way, not repeating cors for every endpoint.

[vmesel]

I do not like defining CORs for every endpoint. It should be across the whole server, at least from my perspective.

The problem with CORS being defined on each endpoint é that we should create a router for each endpoint, not a single router, which, IMHO, is an error.