wai-cors: CORS for WAI

[ http, library, mit, network, wai, web ] [ Propose Tags ]

This package provides an implemenation of Cross-Origin resource sharing (CORS) for Wai that aims to be compliant with http://www.w3.org/TR/cors.

[Skip to Readme]




Automatic Flags

use transformers<0.3 (this is set automatically)


use version wai<2 (this is set automatically)


use version wai<3 (this is set automatically)


Use -f <flag> to enable a flag, or -f -<flag> to disable that flag. More info


Maintainer's Corner

Package maintainers

For package maintainers and hackage trustees


Versions [RSS] 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.2, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7
Change log CHANGELOG.md
Dependencies attoparsec (>=, base (>=4 && <5), base-unicode-symbols (>=, bytestring (>=, case-insensitive (>=, http-types (>=0.8.0), mtl (>=2.1), resourcet (>=0.4), transformers (>=0.3), transformers-compat (>=0.3), wai [details]
License MIT
Copyright (c) 2015-2017 Lars Kuhtz <lakuhtz@gmail.com>, (c) 2014 AlephCloud Systems, Inc.
Author Lars Kuhtz <lakuhtz@gmail.com>
Maintainer Lars Kuhtz <lakuhtz@gmail.com>
Category HTTP, Network, Web, Yesod
Home page https://github.com/larskuhtz/wai-cors
Bug tracker https://github.com/larskuhtz/wai-cors/issues
Source repo head: git clone https://github.com/larskuhtz/wai-cors -b master
this: git clone https://github.com/larskuhtz/wai-cors(tag 0.2.6)
Uploaded by larsk at 2017-12-02T18:58:59Z
Distributions Arch:0.2.7, Debian:0.2.7, Fedora:0.2.7, LTSHaskell:0.2.7, NixOS:0.2.7, Stackage:0.2.7, openSUSE:0.2.7
Reverse Dependencies 11 direct, 5 indirect [details]
Downloads 21999 total (151 in the last 30 days)
Rating 2.0 (votes: 1) [estimated by Bayesian average]
Your Rating
  • λ
  • λ
  • λ
Status Docs available [build log]
Last success reported on 2017-12-02 [all 1 reports]

Readme for wai-cors-0.2.6

[back to package description]

Build Status

Cross-Origin Resource Sharing (CORS) For Wai

This package provides a Haskell implementation of CORS for WAI that aims to be compliant with http://www.w3.org/TR/cors.

Note On Security

This implementation doesn't include any server side enforcement. By complying with the CORS standard it enables the client (i.e. the web browser) to enforce the CORS policy. For application authors it is strongly recommended to take into account the security considerations in section 6.3 of the CORS standard. In particular the application should check that the value of the Origin header matches the expectations.

Websocket connections don't support CORS and are ignored by the CORS implementation in this package. However Websocket requests usually (at least for some browsers) include the @Origin@ header. Applications are expected to check the value of this header and respond with an error in case that its content doesn't match the expectations.


Assuming the availability of recent versions of GHC and cabal this package is installed via

cabal update
cabal install wai-cors


The function 'simpleCors' enables support of simple cross-origin requests. More advanced CORS policies can be enabled by passing a 'CorsResourcePolicy' to the 'cors' middleware.

The file examples/Scotty.hs shows how to support simple cross-origin requests (as defined in http://www.w3.org/TR/cors) in a scotty application.

{-# LANGUAGE OverloadedStrings #-}

module Main
( main
) where

import Network.Wai.Middleware.Cors
import Web.Scotty

main :: IO ()
main = scotty 8080 $ do
    middleware simpleCors
    matchAny "/" $ text "Success"

The result of following curl command will include the HTTP response header Access-Control-Allow-Origin: *.

curl -i -H 'Origin:' -v

Documentation for more general usage can be found in the module Network.Wai.Middleware.Cors.


In order to run the automated test suite PhantomJS (at least version 2.0) must be installed in the system.

cabal install --only-dependencies --enable-tests
cabal test --show-details=streaming

If PhantomJS is not available the tests can be exectued manually in a modern web-browser as follows.

Start the server application:

cd test
ghc -main-is Server Server.hs

Open the file test/index.html in a modern web-browser. On page load a Javascript script is exectued that runs the test suite and prints the result on the page.