Geek Answers Handbook

CORS Problem: No Access-Control-Allow-Origin Error Message Appears When It Actually

I doubt that the main application using my application is important, but if you don't care, I use rack-cors with the Rails 4.0 application.

Using jQuery, I am sending the app PATCH application like this:

 $.ajax({ url: "http://example.com/whatever", type: "PATCH", data: { something: "something else" } })

When I call this call from Chrome, I see a successful OPTIONS request that returns these headers from my server:

 Access-Control-Allow-Credentials:true Access-Control-Allow-Headers:accept, content-type Access-Control-Allow-Methods:GET, PUT, PATCH, OPTIONS Access-Control-Allow-Origin: http://sending-app.localhost:3000 Access-Control-Expose-Headers: Access-Control-Max-Age:15

Then I see a PATCH request that causes this error:

XMLHttpRequest cannot load http://example.com/whatever . The requested resource does not have an Access-Control-Allow-Origin header. Origin ' http: //sending-app.localhost: 3000 ' is therefore not allowed.

I tried switching from PATCH to PUT with the same results.

It makes no sense to me. What's happening?

Update: My config / application.rb

I thought the headers told the whole story, but since people are confused, here is my config/application.rb file in which the plugin for Rails plugins is configured:

 config.middleware.use Rack::Cors do allow do origins '*' resource '*', :headers => :any, :methods => [:get, :put, :patch, :options], :max_age => 15 end end
+7
javascript jquery ruby-on-rails cors
source share
4 answers

Exclude Rails Check CSRF in action;)

That is, Rails checks the authentication token with update / create requests. In your Rails application, this token is added to all of your forms. But with javascript requests, including this is complicated.

You can skip checking for an action by adding this to your controller:

 skip_before_filter :verify_authenticity_token, :only => [:update]

By the way, your problem had nothing to do with CORS, you received a bad browser error message. Rails Magazine tells a true story.

+5
source share

You might want to add this to your config/application.rb file:

 #config/application.rb config.middleware.use Rack::Cors do allow do origins '*' resource '/*', :headers => :any, :methods => :patch end end

In the resource section, you determine what methods / requests your endpoint can accept!

Hope this helps

+2
source share

This is strange stuff.

A) As a trial, you should try to enter * as an authorized source.

B) Is this a problem with spaces? After the colon, you have no spaces in some cases.

C) It looks like a pre-sold request ( https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS ). A pre-requested request is one that does not use the "application / x-www-form-urlencoded", which should be yours. http://api.jquery.com/jquery.ajax/ states that the default content type is x-www-form-urlencoded and you are not the main content type. This means that there should not be two queries.

D) As noted above, a CSRF problem can be a problem. I'm not a rail. If this is a problem you might want, is to attach your CSRF token to all ajax, for example:

 $.ajaxSetup({ beforeSend:function(xhr, settings){ xhr.setRequestHeader('X-CSRF-Token', '<%= csrf_token_value %>'); } });

There are several other ways to do this. It depends on your infrastructures / libraries.

0
source share

Here is what I found to solve the problem from older SO posts to solve csrf problems:

 # In application_controller.rb protect_from_forgery after_filter :set_csrf_cookie def set_csrf_cookie cookies['XSRF-TOKEN'] = form_authenticity_token if protect_against_forgery? end protected # In Rails 4.2 and above def verified_request? super || valid_authenticity_token?(session, request.headers['X-XSRF-TOKEN']) end
0
source share

More articles:


All Articles