I can help to implement it, but before I would like to know what are your thoughts or how do you think it should be implemented.

Hello,

I have a small project with a BeforeMiddleware handling authentication, as advocated by https://docs.rs/iron/0.6.0/iron/middleware/index.html#middleware.

I need my API to be CORS friendly, so I used this library.

As CorsMiddleWare is implemented as an AroundMiddleWare, the problem is that my routes are failing authentication before having a chance to reach CorsMiddleware.

I plan to adapt the codebase to switch CorsMiddleware to a BeforeMiddleware.

If I'm doing something wrong or you have questions please tell me in this thread.

If you're interested in a pull request, I'll gladly make it. (If I continue with this idea)

Hello,
I have a web application in angular that access multiple apis using cookies as credentials
The Browser refuses to send cookies if Access-Control-Allow-Credentials isn't setted.

Do you intent offer this support in this library?
If yes, I'll open a pull request.

If the wrapped handler returns an error the cors headers are not set at all, leading to the ui being unable to obtain the reason for the failure if one was set in the body. This makes it impossible to use after middleware to handle error messages gracefully without having to worry about the cors headers.

I would expect the headers to be set on every request in spite of any errors encountered. This way the headers are set and ready for remaining middleware to respond to the client correctly.

Docs:

The boolean flag specifies whether requests without an Origin header should be rejected or not.

That's a bit confusing.

When the domain is the same as the webpage was loaded, the browser doesn't send the origin header.

For example, when I launch a server in localhost and with cors like ["localhost:3000"] the middleware doesn't allow the request because the browser is not sending the cors.

That will apply to if I have a webpage that is using some subroute as api endpoint (can be done with nginx).

Anyway, that should be configurable for be able to express "My domain and this other domains".