Allow CORS in Ruby on Rails

Question

Allow CORS in Ruby on Rails

In my config/application.rb file, I have this code,

 config.action_dispatch.default_headers = { 'Access-Control-Allow-Origin' => '*', 'Access-Control-Request-Method' => 'GET, PATCH, PUT, POST, OPTIONS, DELETE' }

But this does not allow me to send a mail request for a route on my server

Safari gives this error:

 http://localhost:3000/studentsFailed to load resource: the server responded with a status of 404 (Not Found) http://localhost:3000/studentsFailed to load resource: Origin http://localhost:4200 is not allowed by Access-Control-Allow-Origin. localhost:1XMLHttpRequest cannot load http://localhost:3000/students. Origin http://localhost:4200 is not allowed by Access-Control-Allow-Origi

And in my Rails server console:

 Started OPTIONS "/students" for ::1 at 2015-03-28 21:00:45 -0500 ActionController::RoutingError (No route matches [OPTIONS] "/students"):

+8

ajax ruby-on-rails cors rails-api

Ben aubin Mar 29 '15 at 2:06

source share

5 answers

I was able to figure this out with some help from @Akiomi's answer:

In my routes.rb I added the following code at the beginning of the file:

  match '(:anything)' => 'application#nothing', via: [:options]

Next, in my application controller, I added:

 def nothing render text: '', content_type: 'text/plain' end

Along with the headers in config/application.rb :

 config.action_dispatch.default_headers = { 'Access-Control-Allow-Origin' => '*', 'Access-Control-Request-Method' => 'GET, PATCH, PUT, POST, OPTIONS, DELETE', 'Access-Control-Allow-Headers:' => 'Origin, X-Requested-With, Content-Type, Accept' }

Yes, pay attention to the 'Access-Control-Allow-Headers:' => 'Origin, X-Requested-With, Content-Type, Accept' , which was not included in my initial question, this is one of the big problems.

+3

Ben aubin Mar 31 '15 at 16:10

source share

Add the following code:

In config/routes.rb :

 match 'students' => 'students#option', via: [:options]

In controllers/student_controller.rb :

 def option render text: '', content_type: 'text/plain' end

Or you can use rack-cors .

+1

Akiomi kamakura Mar 31 '15 at 4:20

source share

In some cases, the browser makes a request before flying: instead of making the request first, it requests an OPTIONS request to the same URL so that it can find out what values the different CORS headers have (more about preflight checking here ). If this request is successful and the headers have the correct values, it executes the actual request.

You have not added a route for these parameter requests, so they go to the 404 rails page, which does not include CORS headers.

The OPTIONS response needs to set the same CORS headers that you usually set during the request. He should not do anything else. for example

 match 'students' => 'students#cors_preflight', via: [:options] def cors_preflight render nothing: true end

Please note that there are other CORS headers that you may need, such as Access-Control-Allow-Credentials , Access-Control-Allow-Headers

When you have this job, you might consider tightening it up - you potentially open your application for cross-site scripting.

0

Frederick cheung Mar 31 '15 at 16:11

source share

you can allow the outcome from application_controller

 class ApplicationController < ActionController::Base before_action :allow_cross_domain_ajax def allow_cross_domain_ajax headers['Access-Control-Allow-Origin'] = '*' headers['Access-Control-Request-Method'] = 'POST, OPTIONS' end end

0

puneet18 Nov 30 '17 at 6:58

source share

errata · Accepted Answer · 2015-04-03T05:01:06+0000

I spent some time on this, and I can say that the most reliable solution is to use a rack. see https://github.com/cyu/rack-cors

First add the gem:

 gem 'rack-cors', '~> 0.3.1'

and then in application.rb add

 config.middleware.insert_before 0, "Rack::Cors" do allow do origins '*' resource '*', :headers => :any, :methods => [:get, :post, :options] end end

Allow CORS in Ruby on Rails

More articles: