如何配置yada允许跨域请求(Clojure)？

Question

我有一个yada资源，配置如下：

(yada/resource
    {:methods {:get
               {:produces "text/plain"
                :response (fn [ctx]
                            "Hello world!!")}}})

然后返回一个curl -i localhost:8080/api/new：

HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Length: 13
Content-Type: text/plain
Server: Aleph/0.4.4
Connection: Keep-Alive
Date: Thu, 12 Dec 2019 18:50:42 GMT

Hello world!!

但是当我添加访问控制配置以允许源时：

(yada/resource
    {:methods {:get
               {:produces "text/plain"
                :response (fn [ctx]
                            "Hello world!!")}}
     :access-control {:allow-origin "*"}})

我看不到额外的标题：

HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Length: 13
Content-Type: text/plain
Server: Aleph/0.4.4
Connection: Keep-Alive
Date: Thu, 12 Dec 2019 18:52:32 GMT

Hello world!!

我也尝试过使用在https://juxt.pro/yada/manual/index.html#cross-origin-resource-sharing-cors找到的示例，但得到了相同的结果。

当我尝试从我的UI访问端点时，我看到了可怕的Access to resource at ... from origin ... has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource。

我在这个配置中遗漏了什么？

Answer 1

我能够使用以下解决方法：

(yada/resource
    {:methods {:get
               {:produces "text/plain"
                :response (fn [ctx]
                            (let [response (:response ctx)
                                  updated-response (assoc-in response [:headers] {"Access-Control-Allow-Origin" "*"})]
                              (prn updated-response)
                              updated-response))}}})

这就绕过了内置的响应机制。我还是想知道正确的方法。

Answer 2

我认为你的配置是正确的(关于允许"*"的usual provisos )。我认为除非请求有Origin头，否则yada doesn't actually make the headers：

(defn access-control-headers [ctx]
  (if-let [origin (get-in ctx [:request :headers "origin"])]
    ;...

这可能解释了curl调用和实际客户端之间的差异。尝试使用using curl -H "Origin: http://origin" -vi http://server/endpoint进行检查。