hexpreview

CHANGELOG.md

# Changelog

## v3.0.3 - 2022-03-02
Released to keep tag integrity, equivalent to v3.0.0

* **BREAKING CHANGES** / Fixes
  * Remove allow-credentials when set to false (thanks @AntoineAugusti)
  * Don't halt non-CORS OPTIONS requests

## v2.0.3 - 2021-02-06
* Fixes
  * Use recent versions of Elixir and Erlang for testing (thanks @anthonator)
  * Fix compilation warnings (thanks @thiamsantos)

## v2.0.2 - 2020-02-18

* Fixes
  * Fixes an issue where the plug would error when no CORS header was set
    (thanks @alexeyds)

## v2.0.1 - 2020-01-26

* Enhancements
  * Passing a function with arity 2 as `origin` will pass the `conn` to the
    function, allowing configuration based on conn (thanks @billionlaughs).
  * You can now pass regexes as part of the list of origins (thanks @gabrielpra1).
* Fixes
  * Fixes an issue where the request was missing the
    `access-control-request-headers` (thanks @zhhz for the initial report and
    @mfeckie for the fix).

## v2.0.0 - 2018-11-06

* Enhancements
  * Instead of sending `"null"` we don't set the headers at all if the origin doesn't match, as suggested by the [CORS draft 7.2](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null). Thanks to @YuLeven for initiating the discussion and @slashmili for fixing it. Since we change the return values I consider this a breaking change and released a new major version.
  * You can now set the option `send_preflight_response?` to `false` (it's `true` by default) to stop `CorsPlug` sending a response to the preflight request. That way the correct headers are set but it's up to you to respond to the request downstream.

## v1.5.2 - 2018-03-19

* Fixes
  * Relax version requirements

## v1.5.1 - 2018-03-14

* Fixes
  * Send proper return value if `Access-Control-Request-Headers` is not present.
    (thanks @shivamMg)

## v1.5.0 - 2017-12-06

* Enhancements
  * Allow configuration of origin via function (thanks @mauricioszabo).

## v1.4.0 - 2017-01-13

* Enhancements
  * Allows both `*` as well as specific domains in the `origins` config, returns
    the corresponding value (thanks @mustafaturan)
* Fixes
  * Don't overwrite `vary` header values with `"Origin"`, instead append it.
  * Don't set `vary` header to empty string if not needed.
  * Use `Plug.Conn.merge_resp_headers/2`

New major release because of the `vary` header changes, I don't expect this
to break anything.

## v1.3.0 - 2017-05-24

* Enhancements
  * Allows configuration via app config (see [README.md](README.md), thanks
    @TokiTori).

## v1.2.1 - 2017-02-07

* Fixes
  * Match for exact origin only (thanks @somlor and @JordanAdams).
  * Add Vary to response header (thanks @linjunpop).

## v1.2.0 - 2017-02-07

* Fixes
  * Remove cowboy dependency. Plug should be server-agnostic and this plug does
    not need cowboy. Thanks to @hauleth and @ewitchin for making me aware.

As I changed dependency this is a minor release. I don't anticipate any
regressions tho.

## v1.1.4 - 2017-05-24

* Fixes
  * Add method parens to suppress Elixir 1.4.0 warnings (thanks @seivan).

## v1.1.3 - 2016-12-24

* Enhancements
  * Support regex for `origin` (thanks @somlor)

## v1.1.2 - 2016-05-08

* Enhancements
  * Allow client to set `allow-headers` by sending `request-headers` when using
    a wildcard.

This enhancement is brought to you by @arathunku

## v1.1.1 - 2016-03-11

* Fixes
  * Return "null" instead of null when no origin matches.

Many thanks to @somlor for the fix!

## v1.1.0 - 2016-02-10

* Enhancements
  * Allow multiple origins. When configuring you can now pass a list for
`origins` (`plug: CORSPlug, origin: ~w(example1.com example2.com)`).
* Fixes
  * `Access-Control-Expose-Headers` now works

Both of these have been brought to you by @jer-k - many thanks!

## v1.0.0 - 2016-01-22

* Fixes
  * Don't override headers. Earlier headers would've been overriden by the
    CORS Plug. Amazing that this hasn't popped up before...

As this makes a backward-incompatible change (no longer overriding headers
this is a new major).

## v0.1.4 - 2015-09-24

* Enhancements
  * Add [`Access-Control-Expose-Headers`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Expose-Headers) (thanks @jaketrent)

## v0.1.3 - 2015-07-09

* Enhancements
  * Add license
  * Improve readme (thanks @leighhalliday, @patricksrobertson)
  * Simplify travis.yml (thanks @lowks)

## v0.1.2 - 2015-02-12

* Release plug dependency