From 36d0f70af3e8f9a7968f9c672ec771a44da0b471 Mon Sep 17 00:00:00 2001
From: Edward McFarlane <emcfarlane@buf.build>
Date: Tue, 31 Oct 2023 15:43:48 -0400
Subject: [PATCH] Add CORS methods

---
 README.md  | 32 ++++++++++++++++++++++-
 cors-go.go | 15 -----------
 cors.go    | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 107 insertions(+), 16 deletions(-)
 delete mode 100644 cors-go.go
 create mode 100644 cors.go

diff --git a/README.md b/README.md
index ea3471a..c4ab738 100644
--- a/README.md
+++ b/README.md
@@ -1,9 +1,39 @@
 cors-go
 ===============
 
+Cross-origin resource sharing (CORS) support for Connect servers. Exports methods
+to configure CORS headers to allow Connect and gRPC-web protocols to operate in
+the browser.
+
+## Example
+
+As an example, we will use the [github.com/rs/cors](https://github.com/rs/cors) 
+package to demonstrate how to use the constants defined in this package.
+
+```go
+import (
+	cors "github.com/bufbuild/cors-go"
+	rscors "github.com/rs/cors"
+)
+
+func main() {
+	// Create a new cors instance with default options.
+	c := rscors.New(rscors.Options{
+		AllowedMethods: cors.AllowedMethods(),
+		AllowedHeaders: cors.AllowedHeaders(),
+		ExposedHeaders: cors.ExposedHeaders(),
+	})
+	// Insert the middleware
+	handler := c.Handler(
+        // Your Connect handler goes here
+	)
+    // Serve the handler
+}
+```
+
 ## Status: Alpha
 
-Always have a status section. See our other OSS repos for details.
+Cors is undergoing initial development and is not yet stable.
 
 ## Legal
 
diff --git a/cors-go.go b/cors-go.go
deleted file mode 100644
index cb0279f..0000000
--- a/cors-go.go
+++ /dev/null
@@ -1,15 +0,0 @@
-// Copyright 2023 Buf Technologies, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package cors-go
diff --git a/cors.go b/cors.go
new file mode 100644
index 0000000..c304623
--- /dev/null
+++ b/cors.go
@@ -0,0 +1,76 @@
+// Copyright 2023 Buf Technologies, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package cors provides cross-origin resource sharing (CORS) constants for
+// Connect. These constants are used to configure the CORS headers for a
+// Connect server.
+package cors
+
+import "net/http"
+
+// AllowedMethods returns the allowed HTTP methods that scripts running in the
+// browser are permitted to use.
+//
+// To support cross-domain requests with the protocols supported by Connect,
+// these headers fields must be included in the preflight response header
+// Access-Control-Allow-Methods.
+func AllowedMethods() []string {
+	return []string{
+		http.MethodGet,  // Required for Connect GET requests
+		http.MethodPost, // Required for all protocols
+	}
+}
+
+// AllowedHeaders returns the allowed header fields that scripts running in the
+// browser are permitted to access.
+//
+// To support cross-domain requests with the protocols supported by Connect,
+// these field names must be included in header Access-Control-Allow-Headers
+// of the actual response.
+func AllowedHeaders() []string {
+	return []string{
+		"Content-Type",             // Required for Connect
+		"Connect-Protocol-Version", // Required for Connect
+		"Connect-Timeout-Ms",       // Optional for Connect
+		"Connect-Accept-Encoding",  // Future use for Connect
+		"Connect-Content-Encoding", // Future use for Connect
+		"Accept-Encoding",          // Future use for Connect
+		"Content-Encoding",         // Future use for Connect
+		"Grpc-Timeout",             // Required for gRPC-web
+		"X-Grpc-Web",               // Optional for gRPC-web
+		"X-User-Agent",             // Optional for gRPC-web
+	}
+}
+
+// ExposedHeaders returns the headers that scripts running in the browser are
+// permitted to see.
+//
+// To support cross-domain requests with the protocols supported by Connect,
+// these field names must be included in header Access-Control-Expose-Headers
+// of the actual response.
+//
+// Make sure to include any application-specific headers your browser client
+// should see. If your application uses trailers, they will be sent as header
+// fields with a `Trailer-` prefix for Connect unary RPCs - make sure to
+// expose them as well if you want them to be visible in all supported
+// protocols.
+func ExposedHeaders() []string {
+	return []string{
+		"Content-Encoding",         // Future use for Connect
+		"Connect-Content-Encoding", // Future use for Connect
+		"Grpc-Status",              // Required for gRPC-web header response
+		"Grpc-Message",             // Required for gRPC-web header response
+		"Grpc-Status-Details-Bin",  // Required for gRPC-web error details
+	}
+}