Merge pull request #20 from plone/cors

Add CORS support

README.rst

@@ -758,6 +758,52 @@ If in doubt better do not touch them.
 
     Default: ``false``.
 
+Cross-Origin Resource Sharing (CORS)
+------------------------------------
+
+Plone offers [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) handling with the [plone.rest](https://pypi.org/project/plone.rest/) package.
+CORS configuration is needed, if you want to access the Plone REST API from a different domain than the one Plone is running on.
+
+``cors_enabled``
+    Enable CORS support.
+
+    Allowed values: ``true``, ``false``.
+
+    Default: ``false``
+
+``cors_allow_credentials``
+    Indicates whether the resource supports user credentials in the request.
+
+    Allowed values: ``true``, ``false``.
+
+    Default: ``true``
+
+``cors_allow_headers``
+    A comma separated list of request headers allowed to be sent by the client.
+
+    Default: ``Accept,Authorization,Content-Type``
+
+``cors_allow_methods``
+    A comma separated list of HTTP method names that are allowed by this CORS policy.
+
+    Default: ``DELETE,GET,OPTIONS,PATCH,POST,PUT``
+
+``cors_allow_origin``
+    Origins that are allowed access to the resource.
+    Either a comma separated list of origins, e.g. ``https://example.com,https://otherexample.com``, or ``*`` for all.
+
+    Default: ``http://localhost:3000,http://127.0.0.1:3000``
+
+``cors_expose_headers``
+    A comma separated list of response headers clients can access.
+
+    Default: ``Content-Length``
+
+``cors_max_age``
+    Indicates how long the results of a preflight request can be cached in seconds.
+
+    Default: ``3600``
+
 Development
 -----------
 

cookiecutter.json

@@ -119,6 +119,14 @@
   "db_zeo_read_only": false,
   "db_zeo_drop_cache_rather_verify": false,
 
+  "cors_enabled": false,
+  "cors_allow_credentials": "true",
+  "cors_allow_headers": "Accept,Authorization,Content-Type,Lock-Token",
+  "cors_allow_methods": "DELETE,GET,OPTIONS,PATCH,POST,PUT",
+  "cors_allow_origin": "http://localhost:3000,http://127.0.0.1:3000",
+  "cors_expose_headers": "Content-Length",
+  "cors_max_age": "3600",
+
   "debug_mode": false,
   "verbose_security": false,
 

hooks/post_gen_project.py

@@ -9,6 +9,7 @@
 
 cwd = Path.cwd()
 basedir = cwd.parent
+etc = cwd / "etc"
 
 
 # post generation step 1: generate initial user
@@ -75,7 +76,10 @@
             filepath.parent.mkdir(parents=True, exist_ok=True)
     else:
         # cleanup relstorage files if no relstorage is configured
-        etc = cwd / "etc"
         (etc / "relstorage-export.conf").unlink()
         (etc / "relstorage-import.conf").unlink()
         (etc / "relstorage-pack.conf").unlink()
+
+# 3: remove unused files
+if "{{ cookiecutter.cors_enabled }}" == "False":
+    (etc / "cors.zcml").unlink()

{{ cookiecutter.target }}/etc/cors.zcml

@@ -0,0 +1,16 @@
+{%- if cookiecutter.cors_enabled %}
+<configure
+    xmlns="http://namespaces.zope.org/zope"
+    xmlns:plone="http://namespaces.plone.org/plone"
+    >
+  <include package="plone.rest" file="meta.zcml" />
+  <plone:CORSPolicy
+      allow_origin="{{ cookiecutter.cors_allow_origin }}"
+      allow_credentials="{{ cookiecutter.cors_allow_credentials }}"
+      allow_methods="{{ cookiecutter.cors_allow_methods }}"
+      expose_headers="{{ cookiecutter.cors_expose_headers }}"
+      allow_headers="{{ cookiecutter.cors_allow_headers }}"
+      max_age="{{ cookiecutter.cors_max_age }}"
+      />
+</configure>
+{%- endif %}

{{ cookiecutter.target }}/etc/site.zcml

@@ -44,6 +44,11 @@
 {%- endif %}
   <five:loadProducts />
 
+{%- if cookiecutter.cors_enabled %}
+  <!-- Load the CORS configuration:  -->
+  <include file="cors.zcml" />
+{%- endif %}
+
 {%- if zcml_include_file_location %}
   <!-- Load the local configuration:  -->
   <include file="{{ zcml_include_file_location | abspath }}" />