connectrpc · akshayjshah · Nov 21, 2023 · Nov 20, 2023 · Nov 21, 2023 · Nov 20, 2023
diff --git a/.github/CODE_OF_CONDUCT.md b/.github/CODE_OF_CONDUCT.md
@@ -1,133 +1,3 @@
-# Contributor Covenant Code of Conduct
-
-## Our Pledge
-
-We as members, contributors, and leaders pledge to make participation in our
-community a harassment-free experience for everyone, regardless of age, body
-size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socio-economic status,
-nationality, personal appearance, race, religion, or sexual identity
-and orientation.
-
-We pledge to act and interact in ways that contribute to an open, welcoming,
-diverse, inclusive, and healthy community.
-
-## Our Standards
-
-Examples of behavior that contributes to a positive environment for our
-community include:
-
-* Demonstrating empathy and kindness toward other people
-* Being respectful of differing opinions, viewpoints, and experiences
-* Giving and gracefully accepting constructive feedback
-* Accepting responsibility and apologizing to those affected by our mistakes,
-  and learning from the experience
-* Focusing on what is best not just for us as individuals, but for the
-  overall community
-
-Examples of unacceptable behavior include:
-
-* The use of sexualized language or imagery, and sexual attention or
-  advances of any kind
-* Trolling, insulting or derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or email
-  address, without their explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting
-
-## Enforcement Responsibilities
-
-Community leaders are responsible for clarifying and enforcing our standards of
-acceptable behavior and will take appropriate and fair corrective action in
-response to any behavior that they deem inappropriate, threatening, offensive,
-or harmful.
-
-Community leaders have the right and responsibility to remove, edit, or reject
-comments, commits, code, wiki edits, issues, and other contributions that are
-not aligned to this Code of Conduct, and will communicate reasons for moderation
-decisions when appropriate.
-
-## Scope
-
-This Code of Conduct applies within all community spaces, and also applies when
-an individual is officially representing the community in public spaces.
-Examples of representing our community include using an official e-mail address,
-posting via an official social media account, or acting as an appointed
-representative at an online or offline event.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported to the community leaders responsible for enforcement at
-[email protected]. All complaints will be reviewed and investigated promptly
-and fairly.
-
-All community leaders are obligated to respect the privacy and security of the
-reporter of any incident.
-
-## Enforcement Guidelines
-
-Community leaders will follow these Community Impact Guidelines in determining
-the consequences for any action they deem in violation of this Code of Conduct:
-
-### 1. Correction
-
-**Community Impact**: Use of inappropriate language or other behavior deemed
-unprofessional or unwelcome in the community.
-
-**Consequence**: A private, written warning from community leaders, providing
-clarity around the nature of the violation and an explanation of why the
-behavior was inappropriate. A public apology may be requested.
-
-### 2. Warning
-
-**Community Impact**: A violation through a single incident or series
-of actions.
-
-**Consequence**: A warning with consequences for continued behavior. No
-interaction with the people involved, including unsolicited interaction with
-those enforcing the Code of Conduct, for a specified period of time. This
-includes avoiding interactions in community spaces as well as external channels
-like social media. Violating these terms may lead to a temporary or
-permanent ban.
-
-### 3. Temporary Ban
-
-**Community Impact**: A serious violation of community standards, including
-sustained inappropriate behavior.
-
-**Consequence**: A temporary ban from any sort of interaction or public
-communication with the community for a specified period of time. No public or
-private interaction with the people involved, including unsolicited interaction
-with those enforcing the Code of Conduct, is allowed during this period.
-Violating these terms may lead to a permanent ban.
-
-### 4. Permanent Ban
-
-**Community Impact**: Demonstrating a pattern of violation of community
-standards, including sustained inappropriate behavior,  harassment of an
-individual, or aggression toward or disparagement of classes of individuals.
-
-**Consequence**: A permanent ban from any sort of public interaction within
-the community.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage],
-version 2.0, available at
-[https://www.contributor-covenant.org/version/2/0/code_of_conduct.html][v2.0].
-
-Community Impact Guidelines were inspired by 
-[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
-
-For answers to common questions about this code of conduct, see the FAQ at
-[https://www.contributor-covenant.org/faq][FAQ]. Translations are available 
-at [https://www.contributor-covenant.org/translations][translations].
-
-[homepage]: https://www.contributor-covenant.org
-[v2.0]: https://www.contributor-covenant.org/version/2/0/code_of_conduct.html
-[Mozilla CoC]: https://github.com/mozilla/diversity
-[FAQ]: https://www.contributor-covenant.org/faq
-[translations]: https://www.contributor-covenant.org/translations
+## Community Code of Conduct
 
+Connect follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -25,12 +25,6 @@ jobs:
         uses: actions/setup-go@v4
         with:
           go-version: ${{ matrix.go-version }}
-      - name: Cache
-        uses: actions/cache@v3
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-cors-go-ci-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-cors-go-ci-
       - name: Test
         run: make test
       - name: Lint

diff --git a/.golangci.yml b/.golangci.yml
@@ -39,6 +39,7 @@ linters:
     - maintidx          # covered by gocyclo
     - maligned          # readability trumps efficient struct packing
     - nlreturn          # generous whitespace violates house style
+    - nonamedreturns    # named returns are fine; it's *bare* returns that are bad
     - nosnakecase       # deprecated in https://github.com/golangci/golangci-lint/pull/3065
     - scopelint         # deprecated by author
     - structcheck       # abandoned

diff --git a/LICENSE b/LICENSE
@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2023 Buf Technologies, Inc.
+   Copyright 2023 The Connect Authors
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

diff --git a/MAINTAINERS.md b/MAINTAINERS.md
@@ -0,0 +1,7 @@
+Maintainers
+===========
+
+## Current
+* [Akshay Shah](https://github.com/akshayjshah), [Buf](https://buf.build)
+* [Edward McFarlane](https://github.com/emcfarlane), [Buf](https://buf.build)
+* [Timo Stamm](https://github.com/timostamm), [Buf](https://buf.build)
diff --git a/Makefile b/Makefile
@@ -38,7 +38,7 @@ build: generate ## Build all packages
 generate: $(BIN)/license-header ## Regenerate code and licenses
 	license-header \
 		--license-type apache \
-		--copyright-holder "Buf Technologies, Inc." \
+		--copyright-holder "The Connect Authors" \
 		--year-range "$(COPYRIGHT_YEARS)" $(LICENSE_IGNORE)
 
 .PHONY: lint

diff --git a/README.md b/README.md
@@ -1,40 +1,47 @@
 cors-go
-===============
+=======
 
-Cross-origin resource sharing (CORS) support for Connect servers. Exports methods
-to configure CORS headers to allow Connect and gRPC-web protocols to operate in
-the browser.
+[![Build](https://github.com/connectrpc.com/cors-go/actions/workflows/ci.yaml/badge.svg?branch=main)](https://github.com/connectrpc.com/cors-go/actions/workflows/ci.yaml)
+[![Report Card](https://goreportcard.com/badge/connectrpc.com/cors)](https://goreportcard.com/report/connectrpc.com/cors)
+[![GoDoc](https://pkg.go.dev/badge/connectrpc.com/cors.svg)](https://pkg.go.dev/connectrpc.com/cors)
+
+`connectrpc.com/cors` provides convenience methods to make configuring
+Cross-Origin Resource Sharing (CORS) easier for
+[Connect](https://github.com/connectrpc/connect-go) servers. CORS is often
+required for the Connect and gRPC-Web protocols to work correctly in web
+browsers.
+
+For background, more details, and best practices, see [Connect's CORS
+documentation](https://connectrpc.com/docs/cors).
 
 ## Example
 
-As an example, we will use the [github.com/rs/cors](https://github.com/rs/cors) 
-package to demonstrate how to use the constants defined in this package.
+This package should work with any CORS package. As an example, we'll use it
+with [github.com/rs/cors](https://github.com/rs/cors).
 
 ```go
 import (
-	cors "github.com/bufbuild/cors-go"
-	rscors "github.com/rs/cors"
+	connectcors "connectrpc.com/cors"
+	"github.com/rs/cors"
 )
 
-// corsMiddleware wraps a handler with require cors config using rs/cors.
-func corsMiddleware(handler http.Handler) http.Handler {
-	// Create a new cors instance with default options.
-	c := rscors.New(rscors.Options{
-		AllowedMethods: cors.AllowedMethods(),
-		AllowedHeaders: cors.AllowedHeaders(),
-		ExposedHeaders: cors.ExposedHeaders(),
+// withCORS adds CORS support to a Connect HTTP handler.
+func withCORS(connectHandler http.Handler) http.Handler {
+	c := cors.New(cors.Options{
+		AllowedOrigins: []string{"https://acme.com"}, // replace with your domain
+		AllowedMethods: connectcors.AllowedMethods(),
+		AllowedHeaders: connectcors.AllowedHeaders(),
+		ExposedHeaders: connectcors.ExposedHeaders(),
+    MaxAge: 7200, // 2 hours in seconds
 	})
-	// Insert the middleware as a wrapper around your handler.
-	return c.Handler(handler /* connect handler */)
+	return c.Handler(connectHandler)
 }
 ```
 
 ## Status: Alpha
 
-Cors is undergoing initial development and is not yet stable.
+This module is undergoing initial development and is not yet stable.
 
 ## Legal
 
-Offered under the [Apache 2 license][license].
-
-[license]: https://github.com/bufbuild/cors-go/blob/main/LICENSE
+Offered under the [Apache 2 license][LICENSE].
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,5 @@
+Security Policy
+===============
+
+This project follows the [Connect security policy and reporting
+process](https://connectrpc.com/docs/governance/security).
diff --git a/cors.go b/cors.go
@@ -1,4 +1,4 @@
-// Copyright 2023 Buf Technologies, Inc.
+// Copyright 2023 The Connect Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,13 +12,10 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// Package cors provides cross-origin resource sharing (CORS) constants for
-// Connect. These constants are used to configure the CORS headers for a
-// Connect server.
+// Package cors provides helpers to configure cross-origin resource sharing
+// (CORS) for Connect servers.
 package cors
 
-import "net/http"
-
 // AllowedMethods returns the allowed HTTP methods that scripts running in the
 // browser are permitted to use.
 //
@@ -27,50 +24,43 @@ import "net/http"
 // Access-Control-Allow-Methods.
 func AllowedMethods() []string {
 	return []string{
-		http.MethodGet,  // Required for Connect GET requests
-		http.MethodPost, // Required for all protocols
+		"GET",  // for Connect
+		"POST", // for all protocols
 	}
 }
 
-// AllowedHeaders returns the allowed header fields that scripts running in the
-// browser are permitted to access.
+// AllowedHeaders returns the headers that scripts running in the browser send
+// when making RPC requests. To support cross-domain requests with the
+// protocols supported by Connect, these field names must be included in the
+// Access-Control-Allow-Headers header of the preflight response.
 //
-// To support cross-domain requests with the protocols supported by Connect,
-// these field names must be included in header Access-Control-Allow-Headers
-// of the actual response.
+// When configuring CORS, make sure to also include any application-specific
+// headers your server expects to receive from the browser.
 func AllowedHeaders() []string {
 	return []string{
-		"Content-Type",             // Required for Connect
-		"Connect-Protocol-Version", // Required for Connect
-		"Connect-Timeout-Ms",       // Optional for Connect
-		"Connect-Accept-Encoding",  // Future use for Connect
-		"Connect-Content-Encoding", // Future use for Connect
-		"Accept-Encoding",          // Future use for Connect
-		"Content-Encoding",         // Future use for Connect
-		"Grpc-Timeout",             // Required for gRPC-web
-		"X-Grpc-Web",               // Optional for gRPC-web
-		"X-User-Agent",             // Optional for gRPC-web
+		"Content-Type",             // for all protocols
+		"Connect-Protocol-Version", // for Connect
+		"Connect-Timeout-Ms",       // for Connect
+		"Grpc-Timeout",             // for gRPC-web
+		"X-Grpc-Web",               // for gRPC-web
+		"X-User-Agent",             // for all protocols
 	}
 }
 
-// ExposedHeaders returns the headers that scripts running in the browser are
-// permitted to see.
-//
-// To support cross-domain requests with the protocols supported by Connect,
-// these field names must be included in header Access-Control-Expose-Headers
-// of the actual response.
+// ExposedHeaders returns the headers that scripts running in the
+// browser expect to access when receiving RPC responses. To support
+// cross-domain requests with the protocols supported by Connect, these field
+// names must be included in the Access-Control-Expose-Headers header of the
+// actual response.
 //
-// Make sure to include any application-specific headers your browser client
-// should see. If your application uses trailers, they will be sent as header
-// fields with a `Trailer-` prefix for Connect unary RPCs - make sure to
-// expose them as well if you want them to be visible in all supported
-// protocols.
+// When configuring CORS, make sure to also include any application-specific
+// headers your server expects to send to the browser. If your application uses
+// trailers, they will be sent as headers with a `Trailer-` prefix for
+// unary Connect RPCs - make sure to expose them!
 func ExposedHeaders() []string {
 	return []string{
-		"Content-Encoding",         // Future use for Connect
-		"Connect-Content-Encoding", // Future use for Connect
-		"Grpc-Status",              // Required for gRPC-web header response
-		"Grpc-Message",             // Required for gRPC-web header response
-		"Grpc-Status-Details-Bin",  // Required for gRPC-web error details
+		"Grpc-Status",             // for gRPC-web
+		"Grpc-Message",            // for gRPC-web
+		"Grpc-Status-Details-Bin", // for gRPC-web
 	}
 }
diff --git a/go.mod b/go.mod
@@ -1,3 +1,3 @@
-module github.com/bufbuild/cors-go
+module connectrpc.com/cors
 
 go 1.19