Allowing cross-origin requests in Yesod

Question

My application uses a bookmarklet, and I need to allow CORS for MyRouteR so my bookmarklet code can use this route for AJAX requests.

In my first draft of config/routes I gave MyRouteR support for only one request method, PUT. But it turned out (duh) that I'd need to support the OPTIONS method as well, which browsers use for CORS preflight requests.

I ended up with the following in config/routes:

/myroute MyRouteR PUT OPTIONS

I was kind of hoping there would be some relevant machinery in the Template Haskell that processes config/routes so that the addition of OPTIONS to this route's method list would automagically result in CORS support, but no dice. Not the end of the world, but it would have made sense and felt elegant that way.

To make CORS work, I gave the route an OPTIONS handler:

optionsMyRouteR :: Handler RepPlain
optionsMyRouteR = do
    addHeader "Access-Control-Allow-Origin" "*"
    addHeader "Access-Control-Allow-Methods" "PUT, OPTIONS"
    return $ RepPlain $ toContent ("" :: Text)

putMyRouteR :: Handler RepJson
putMyRouteR = do
    addHeader "Access-Control-Allow-Origin" "*"
    -- more stuff ...

This works, but it feels slightly un-Yesodic because it's so boilerplate. So, two questions:

Do we have a better adjective than Yesodic?
Is there another, better way to let a route support cross-origin requests?

I changed `setHeader` to `addHeader` above because `setHeader` has been deprecated in the mean time — Rehno Lindeque, Mar 13 '14 at 22:11

Rehno Lindeque · Answer 1 · 2014-07-04T15:22:52.370

3

UPDATE: Someone else published some generic middleware for this: http://hackage.haskell.org/package/wai-cors.

I am currently working on the same thing and haven't yet implemented a solution, however I imagine it can be done via a WAI Middleware similar to the sample code on the wiki page Allowing WOFF fonts to be accessed from other domains (CORS). This should allow you from writing the CORS code once without repeating yourself.

Sample code from the link above to add cross-origin access for WOFF fonts:

addCORStoWOFF :: W.Middleware
addCORStoWOFF app = fmap updateHeaders . app
  where
    updateHeaders (W.ResponseFile    status headers fp mpart) = W.ResponseFile    status (new headers) fp mpart
    updateHeaders (W.ResponseBuilder status headers builder)  = W.ResponseBuilder status (new headers) builder
    updateHeaders (W.ResponseSource  status headers src)      = W.ResponseSource  status (new headers) src
    new headers | woff      = cors : headers
                | otherwise =        headers
      where woff = lookup HT.hContentType headers == Just "application/font-woff"
            cors = ("Access-Control-Allow-Origin", "*")

edited Jul 04 '14 at 15:22

answered Mar 13 '14 at 21:43

Rehno Lindeque

4,236
2
23
31

I'm not ready to accept the answer just because I haven't tested it; I have another workaround in place and it works well enough for now. I'll try to test this soon. If anyone else tests it and finds it works well, please weigh in. – Christian Brink Mar 17 '14 at 20:38
Thanks, I'll let you know if it worked for me. I'll probably test this some time this month since I need it myself. – Rehno Lindeque Mar 17 '14 at 20:57
Please, put the imports – FtheBuilder Dec 25 '16 at 22:16
@FtheBuilder As I mentioned in the update, you can just use the middleware directly now: http://hackage.haskell.org/package/wai-cors. There's no longer any need to roll your own. – Rehno Lindeque Dec 27 '16 at 20:51
2

`simpleCors` doesn't fix the `options` request error 400 – FtheBuilder Dec 30 '16 at 15:47
It works ok for me... Perhaps you need to set `corsMethods = ["GET", "HEAD", "POST", "PUT", "DELETE", "OPTIONS"]` – Rehno Lindeque Jan 02 '17 at 04:12

Allowing cross-origin requests in Yesod

1 Answers1

Linked