simple_cors - Cross-Origin Resource Sharing for Eiffel

Overview

simple_cors is a native CORS (Cross-Origin Resource Sharing) library for Eiffel. It provides a fluent API for configuring CORS policies and generating the correct HTTP headers for both simple requests and preflight OPTIONS requests.

Part of the simple_* ecosystem of focused, single-purpose Eiffel libraries.

Quick Start

Installation

Add to your ECF file:

<library name="simple_cors" location="$SIMPLE_CORS/simple_cors.ecf"/>

Set environment variable:

set SIMPLE_CORS=D:\path\to\simple_cors

Basic Usage

local
    cors: SIMPLE_CORS
    headers: HASH_TABLE [STRING, STRING]
do
    -- Create and configure
    create cors.make
    cors.allow_origin ("https://example.com")
    cors.allow_origin ("https://api.example.com")
    cors.allow_method ("PUT")
    cors.allow_method ("DELETE")
    cors.allow_header ("Authorization")

    -- Check if request is allowed
    if cors.is_origin_allowed (request_origin) then
        -- Get headers to add to response
        headers := cors.headers_for_simple_request (request_origin)
    end
end

Preflight Handling

-- Handle preflight OPTIONS request
if cors.is_preflight_request (request_method, request_origin) then
    if cors.is_origin_allowed (request_origin) and
       cors.is_method_allowed (requested_method) and
       cors.are_headers_allowed (requested_headers)
    then
        headers := cors.headers_for_preflight (
            request_origin,
            requested_method,
            requested_headers
        )
        -- Return 204 No Content with headers
    else
        -- Return 403 Forbidden
    end
end

Development Mode

-- Permissive mode for development
create cors.make_permissive
-- Allows all origins, methods, and headers

With Credentials

cors.allow_origin ("https://example.com")
cors.allow_credentials
-- Note: Cannot use wildcard with credentials

Features

Fetch Standard Compliant

Implements the CORS protocol as defined in the WHATWG Fetch Standard.

Origin Validation

Exact matching, pattern matching with wildcards, or allow all origins.

Preflight Support

Automatic handling of OPTIONS preflight requests with all required headers.

Credentials Support

Proper handling of credentials with automatic wildcard origin prevention.

Cache Control

Configurable Access-Control-Max-Age for preflight caching.

Security First

Rejects null origin, includes Vary header, prevents credentials with wildcards.

Fluent API

Clean, readable configuration with sensible defaults.

Design by Contract

Full preconditions, postconditions, and class invariants.

API Summary

Initialization

Feature	Description
`make`	Default: no origins allowed, simple methods only
`make_permissive`	Development mode: all origins, methods, headers
`make_restrictive`	Production mode: nothing allowed until configured

Origin Configuration

Feature	Description
`allow_origin (origin)`	Allow specific origin
`allow_origins (list)`	Allow multiple origins
`allow_origin_pattern (pattern)`	Allow origins matching pattern
`allow_all_origins`	Allow any origin (*)

Method Configuration

Feature	Description
`allow_method (method)`	Allow specific HTTP method
`allow_methods (list)`	Allow multiple methods
`allow_all_methods`	Allow all common HTTP methods

Header Configuration

Feature	Description
`allow_header (header)`	Allow request header
`allow_headers (list)`	Allow multiple headers
`allow_all_headers`	Allow any request header
`expose_header (header)`	Expose response header to JS

Credentials & Cache

Feature	Description
`allow_credentials`	Allow credentials (disables wildcard)
`disallow_credentials`	Disallow credentials
`set_max_age (seconds)`	Set preflight cache duration

Request Processing

Feature	Description
`is_cors_request (origin)`	Is this a CORS request?
`is_preflight_request (method, origin)`	Is this a preflight request?
`is_origin_allowed (origin)`	Is origin in allowed list?
`is_method_allowed (method)`	Is method allowed?
`are_headers_allowed (headers)`	Are all headers allowed?

Response Generation

Feature	Description
`headers_for_simple_request (origin)`	Get headers for simple request
`headers_for_preflight (origin, method, headers)`	Get headers for preflight

View complete API reference →

Testing

The library includes a comprehensive test suite with 33 tests covering:

Initialization modes (default, permissive, restrictive)
Origin configuration (single, multiple, patterns, wildcards)
Method and header configuration
Credentials handling and wildcard prevention
Request detection (CORS vs preflight)
Response header generation
Security (null origin rejection)

-- Run tests
ec.exe -batch -config simple_cors.ecf -target simple_cors_tests -c_compile
./EIFGENs/simple_cors_tests/W_code/simple_cors.exe