v1.2.0

This release allows you to use a regular expression for the :allow_origin setting. Thanks to @frm for the contribution.

v1.1.0

This version changes the behavior when an origin is not allowed. Previously, it returned the value "null" for Access-Control-Allowed-Origin. Although this is compliant with the specification, it seems that there are ways that this can be exploited to grant access when it should not be granted.

Therefore, this implementation now responds with no Access-Control headers if the origin is not allowed. Thanks to @Akcbryant for making this happen.

v1.0.2

This release fixes a bug related to the Access-Control-Allow-Headers header. If the Access-Control-Request-Headers header is not passed, Access-Control-Allow-Headers was being set to nil. Which then causes rack to through an error.

v1.0.1

Change from space-separated to comma separated configuration to match the CORS spec more closely.

v1.0.0

Update for Sinatra 2.0

v0.2.0

It now builds the correct Allow header based on the user defined routes. Having a proper Allow header, allows us to reject a preflight request for a method that is in allow_methods but has no matching route for that method.

v0.1.1

Initial release.

• Support for all CORS headers
• Handles OPTIONS requests for preflight requests automatically
• Follows security best practices for CORS
• Logs to the default logger to assist the user in configuring the server properly and securely.