CORS
Cross origin resource sharing
Scalatra allows you to mix the CorsSupport
trait into your servlets if you need to do
cross-origin resource sharing.
Adding CorsSupport
allows all requests from anywhere, by default. You’ll need to add an options
route to your servlet, though, so that your servlet will respond to the preflight request:
import org.scalatra.CorsSupport
class YourServlet extends ScalatraBase with CorsSupport {
options("/*"){
response.setHeader(
"Access-Control-Allow-Headers", request.getHeader("Access-Control-Request-Headers"));
}
}
You can configure your application to be more restrictive by using the following init params.
// List the hosts and ports which will be allowed to make cross-origin requests,
// separated by commas (* by default).
context.initParameters("org.scalatra.cors.allowedOrigins") = "http://example.com:8080,http://foo.example.com"
// List what HTTP methods will be accepted.
// Available options are GET, POST, PUT, DELETE, HEAD, OPTIONS, and PATCH.
// All methods are accepted by default.
context.initParameters("org.scalatra.cors.allowedMethods") = "GET"
// Set a list of allowed HTTP headers, most headers are supported.
context.initParameters("org.scalatra.cors.allowedHeaders") = "Content-Type"
// Set the number of seconds that preflight requests can be cached by the client.
// Default value is 0 seconds.
context.initParameters("org.scalatra.cors.preflightMaxAge") = 1800
// By default, cookies are not included in CORS requests. Set this to `true` to allow cookies.
context.initParameters("org.scalatra.cors.allowCredentials") = true
If you’re not familiar with CORS, you may want to find out a bit more about preflightMaxAge and allowCredentials or read the whole spec at the W3C. A good tutorial is also available at HTML5Rocks.