Best IT Recipes

Allow anything through CORS policy

How to disable cors? For some reason I went wild, allowed roots and headers, but my ajax requests still complain that the origin was not allowed by my CORS policy ....

My application controller:

class ApplicationController < ActionController::Base protect_from_forgery before_filter :current_user, :cors_preflight_check after_filter :cors_set_access_control_headers # For all responses in this controller, return the CORS access control headers. def cors_set_access_control_headers headers['Access-Control-Allow-Origin'] = '*' headers['Access-Control-Allow-Methods'] = 'POST, GET, OPTIONS' headers['Access-Control-Allow-Headers'] = '*' headers['Access-Control-Max-Age'] = "1728000" end # If this is a preflight OPTIONS request, then short-circuit the # request, return only the necessary headers and return an empty # text/plain. def cors_preflight_check if request.method == :options headers['Access-Control-Allow-Origin'] = '*' headers['Access-Control-Allow-Methods'] = 'POST, GET, OPTIONS' headers['Access-Control-Allow-Headers'] = '*' headers['Access-Control-Max-Age'] = '1728000' render :text => '', :content_type => 'text/plain' end end private # get the user currently logged in def current_user @current_user ||= User.find(session[:user_id]) if session[:user_id] end helper_method :current_user end

routes:

  match "*all" => "application#cors_preflight_check", :constraints => { :method => "OPTIONS" } match "/alert" => "alerts#create" match "/alerts" => "alerts#get" match "/login" => "sessions#create" match "/logout" => "sessions#destroy" match "/register" => "users#create"

Change ---

I also tried:

  config.middleware.use Rack::Cors do allow do origins '*' resource '*', :headers => :any, :methods => [:get, :post, :delete, :put, :options] end end

in application.rb

- change 2 ---

The problem is that Chrome Extensions may not support CORS, I think. How can I get information bypassing CORS? How do I respond to preflight check?

+88
ruby-on-rails cors
Jul 25 '13 at 12:35
source share
9 answers

I have the same public API requirements for which I used rails-api.

I also set the title before the filter. It looks like this:

 headers['Access-Control-Allow-Origin'] = '*' headers['Access-Control-Allow-Methods'] = 'POST, PUT, DELETE, GET, OPTIONS' headers['Access-Control-Request-Method'] = '*' headers['Access-Control-Allow-Headers'] = 'Origin, X-Requested-With, Content-Type, Accept, Authorization'

You seem to have missed the Access-Control-Request-Method header.

+142
Aug 14 '13 at 7:27
source share

Take a look at rack-cors middleware. It will handle CORS headers in a custom way.

+19
Jul 25 '13 at 12:38
source share

You can simply add a gem rack https://rubygems.org/gems/rack-cors/versions/0.4.0

1st step: add the gem to your gemfile:

 gem 'rack-cors', :require => 'rack/cors'

and then save and run bundle install

2nd step: update the config / application.rb file by adding the following:

 config.middleware.insert_before 0, Rack::Cors do allow do origins '*' resource '*', :headers => :any, :methods => [:get, :post, :options] end end

for more information, you can go to https://github.com/cyu/rack-cors, in particular if you do not use rails 5.

+6
Jun 18 '17 at 11:44 on
source share

I had problems, especially with Chrome. What you did is similar to what I did in my application. The only difference is that I am responding with the correct hostnames in my Origin CORS headers, not a wildcard. It seems to me that Chrome is picky about this.

Switching between development and production is a pain, so I wrote this little function that helps me in both development mode and production mode. All of the following things happen in my application_controller.rb unless otherwise specified, this may not be the best solution, but shelving does not work for me, I can’t remember why.

 def add_cors_headers origin = request.headers["Origin"] unless (not origin.nil?) and (origin == "http://localhost" or origin.starts_with? "http://localhost:") origin = "https://your.production-site.org" end headers['Access-Control-Allow-Origin'] = origin headers['Access-Control-Allow-Methods'] = 'POST, GET, OPTIONS, PUT, DELETE' allow_headers = request.headers["Access-Control-Request-Headers"] if allow_headers.nil? #shouldn't happen, but better be safe allow_headers = 'Origin, Authorization, Accept, Content-Type' end headers['Access-Control-Allow-Headers'] = allow_headers headers['Access-Control-Allow-Credentials'] = 'true' headers['Access-Control-Max-Age'] = '1728000' end

And then I have this little thing in my application_controller.rb because my site requires login:

 before_filter :add_cors_headers before_filter {authenticate_user! unless request.method == "OPTIONS"}

In my routes.rb I also have this thing:

 match '*path', :controller => 'application', :action => 'empty', :constraints => {:method => "OPTIONS"}

and this method looks like this:

 def empty render :nothing => true end
+5
Aug 12 '13 at 17:12
source share

I had a similar problem before it turned out to be a web browser (chrome in my case). This is problem.

If you use chrome, try running it like this:

For Windows:

1) Create a shortcut for Chrome on your desktop. Right-click the shortcut and select "Properties", then go to the "Shortcut" tab.

2) In the Target field, add the following: -args -disable-web-security

For Mac, open a terminal window and run it from the command line: open ~ / Applications / Google \ Chrome.app/-args -disable-web-security

Above information from:

http://documentumcookbook.wordpress.com/2012/03/13/disable-cross-domain-javascript-security-in-chrome-for-development/

+3
Jul 25 '13 at 12:50
source share

Just ran into this problem in my rails application in production. Many of the answers here gave me clues and helped me finally come up with an answer that worked well for me.

I use Nginx, and it was simple enough to just modify the my_app.conf file (where my_app is the name of your application). You can find this file in /etc/nginx/conf.d

If you do not already have location/{} you can simply add it under server {} and then add add_header 'Access-Control-Allow-Origin' '*'; under location/{} .

The final format should look something like this:

 server { server_name ...; listen ...; root ...; location / { add_header 'Access-Control-Allow-Origin' '*'; } }
+2
Nov 20 '18 at 19:14
source share

1st need to add to your gemfile

gem 'rack-cors', :require => 'rack/cors'

bundle install next bundle install

add the following code to your application.rb file

 config.middleware.use Rack::Cors do allow do origins '*' resource '*', :headers => :any, :expose => ['Authorization'], :methods => [:get, :post, :options, :delete, :put] end end

what is it ... happy coding

0
May 27 '19 at 12:13
source share

Try the configuration in /config/application.rb:

 config.middleware.insert_before 0, "Rack::Cors" do allow do origins '*' resource '*', :headers => :any, :methods => [:get, :post, :options, :delete, :put, :patch], credentials: true end end
-3
Aug 27 '16 at 13:46 on
source share

It also supports most PHP frameworks.

 Header set Access-Control-Allow-Methods "GET, POST, OPTIONS" Header set Access-Control-Allow-Origin "*" Header set Access-Control-Allow-Credentials true Header set Access-Control-Allow-Headers "accept, content-type, X-Requested-With, X-Prototype-Version, X-CSRF-Token, authorization"

Just make sure you comment ... The starting line in the httpd.conf file

 # Virtual hosts #Header always set Access-Control-Allow-Origin "*" Include /private/etc/apache2/extra/httpd-vhosts.conf

Or you will run into multiple origin "*, *"

-four
Dec 10 '15 at 7:48
source share


More articles:


All Articles