barrel_server_cors (barrel_server v1.0.1)
View SourceCORS for the REST API, in front of auth.
Thin wrapper over livery_cors configured from {barrel_server, cors, Map}: origins (`*'' or a list of origin binaries), expose (response headers readable by browser JS; defaults to the x-barrel-* set so clients can fold the HLC clock), plus livery_cors passthroughs (methods, headers, credentials, max_age). Unconfigured = the middleware is not installed and no CORS headers are emitted. /mcp is skipped: the MCP endpoint carries its own origin policy (livery_mcp allowed_origins) and OPTIONS route, and double CORS headers break browsers.
Runs BEFORE barrel_server_auth so preflights (which carry no Authorization by spec) answer 204, while actual-request CORS headers wrap auth 401s and browser JS can read the error body.
Summary
Functions
Middleware state from the app env; undefined = no CORS.
Functions
-spec state_from_env() -> map() | undefined.
Middleware state from the app env; undefined = no CORS.