113

How can I disable cors? For some reason I wild carded the allowed origins and headers yet my ajax requests still complain that the origin was not allowed by my CORS policy....

My applications controller :

class ApplicationController < ActionController::Base
  protect_from_forgery
  before_filter :current_user, :cors_preflight_check
  after_filter :cors_set_access_control_headers

# For all responses in this controller, return the CORS access control headers.

def cors_set_access_control_headers
  headers['Access-Control-Allow-Origin'] = '*'
  headers['Access-Control-Allow-Methods'] = 'POST, GET, OPTIONS'
  headers['Access-Control-Allow-Headers'] = '*'
  headers['Access-Control-Max-Age'] = "1728000"
end

# If this is a preflight OPTIONS request, then short-circuit the
# request, return only the necessary headers and return an empty
# text/plain.

def cors_preflight_check
  if request.method == :options
    headers['Access-Control-Allow-Origin'] = '*'
    headers['Access-Control-Allow-Methods'] = 'POST, GET, OPTIONS'
    headers['Access-Control-Allow-Headers'] = '*'
    headers['Access-Control-Max-Age'] = '1728000'
    render :text => '', :content_type => 'text/plain'
  end
end
  private
  # get the user currently logged in
  def current_user
    @current_user ||= User.find(session[:user_id]) if session[:user_id]
  end
  helper_method :current_user

end

routes: 

  match "*all" => "application#cors_preflight_check", :constraints => { :method => "OPTIONS" }
  match "/alert" => "alerts#create"
  match "/alerts" => "alerts#get"
  match "/login" => "sessions#create"
  match "/logout" => "sessions#destroy"
  match "/register" => "users#create"

Edit---

I also tried:

   config.middleware.use Rack::Cors do
      allow do
        origins '*'
        resource '*', 
            :headers => :any, 
            :methods => [:get, :post, :delete, :put, :options]
      end
    end

in application.rb

--edit 2---

The problem is that Chrome Extensions may not support CORS I think. How can I fetch information bypassing CORS? How should I respond to the preflight check?

marcopolo
  • 1,963
  • 4
  • 18
  • 31

9 Answers9

165

I've your same requirements on a public API for which I used rails-api.

I've also set header in a before filter. It looks like this:

headers['Access-Control-Allow-Origin'] = '*'
headers['Access-Control-Allow-Methods'] = 'POST, PUT, DELETE, GET, OPTIONS'
headers['Access-Control-Request-Method'] = '*'
headers['Access-Control-Allow-Headers'] = 'Origin, X-Requested-With, Content-Type, Accept, Authorization'

It seems you missed the Access-Control-Request-Method header.

matteo
  • 2,256
  • 1
  • 13
  • 10
  • That's strange. Could you provide more info on the error you get? – matteo Aug 19 '13 at 07:07
  • 9
    Access-Control-Request-Method is set in request not in response. https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Request-Method – kuboon Nov 03 '14 at 03:04
22

Have a look at the rack-cors middleware. It will handle CORS headers in a configurable manner.

Jef
  • 5,424
  • 26
  • 28
  • 2
    We have used rack-cors for months and didn't encoutered any issue so far. Are you sure the problem doesn't reside on the client-side ? – Jef Jul 25 '13 at 12:49
  • 1
    I think the problem is that Chrome Extensions don't support CORS so maybe the Origin is Null. How can I completely disable CORS and respond to any request including requests with Null origins? – marcopolo Aug 07 '13 at 20:32
  • What Chrome Extension are you using ? – Jef Aug 08 '13 at 08:12
  • 1
    I am writing a chrome extension that needs to communicate with my Rails backend. – marcopolo Aug 08 '13 at 19:38
22

Simply you can add rack-cors gem https://rubygems.org/gems/rack-cors/versions/0.4.0

1st Step: add gem to your Gemfile: 

gem 'rack-cors', :require => 'rack/cors'

and then save and run bundle install

2nd Step: update your config/application.rb file by adding this:

config.middleware.insert_before 0, Rack::Cors do
      allow do
        origins '*'
        resource '*', :headers => :any, :methods => [:get, :post, :options]
      end
    end

for more details you can go to https://github.com/cyu/rack-cors Specailly if you don't use rails 5.

Abdallah Okasha
  • 1,879
  • 17
  • 20
  • For me the `.insert_before 0` was important. Before I used `config.middleware.use` and that worked only until I wanted to allow CORS for my `public` directory. – Tsunamis Feb 18 '20 at 13:55
6

I had issues, especially with Chrome as well. What you did looks essentially like what I did in my application. The only difference is that I am responding with a correct hostnames in my Origin CORS headers and not a wildcard. It seems to me that Chrome is picky with this.

Switching between development and production is a pain, so I wrote this little function which helps me in development mode and also in production mode. All of the following things happen in my application_controller.rb unless otherwise noted, it might not be the best solution, but rack-cors didn't work for me either, I can't remember why.

def add_cors_headers
  origin = request.headers["Origin"]
  unless (not origin.nil?) and (origin == "http://localhost" or origin.starts_with? "http://localhost:")
    origin = "https://your.production-site.org"
  end
  headers['Access-Control-Allow-Origin'] = origin
  headers['Access-Control-Allow-Methods'] = 'POST, GET, OPTIONS, PUT, DELETE'
  allow_headers = request.headers["Access-Control-Request-Headers"]
  if allow_headers.nil?
    #shouldn't happen, but better be safe
    allow_headers = 'Origin, Authorization, Accept, Content-Type'
  end
  headers['Access-Control-Allow-Headers'] = allow_headers
  headers['Access-Control-Allow-Credentials'] = 'true'
  headers['Access-Control-Max-Age'] = '1728000'
end

And then I have this little thing in my application_controller.rb because my site requires a login:

before_filter :add_cors_headers
before_filter {authenticate_user! unless request.method == "OPTIONS"}

In my routes.rb I also have this thing:

match '*path', :controller => 'application', :action => 'empty', :constraints => {:method => "OPTIONS"}

and this method looks like this:

def empty
  render :nothing => true
end
Christoph Eicke
  • 1,134
  • 7
  • 15
  • 1
    Just to close the circle. This whole CORS mess only happens when your hitting your production back-end from a localhost application, right? None of this will happen when everything is in production? – Sebastialonso Dec 08 '14 at 14:39
  • 2
    Only if backend and webapp are hosted under the same URL. If they are hosted under two different URLs entirely, then this will happen in production as well. – Christoph Eicke Dec 10 '14 at 08:13
3

I have had a similar problem before where it turned out to be the web brower (chrome in my case) that was the issue.

If you are using chrome, try launching it so:

For Windows:

1) Create a shortcut to Chrome on your desktop. Right-click on the shortcut and choose Properties, then switch to “Shortcut” tab.

2) In the “Target” field, append the following: –args –disable-web-security

For Mac, Open a terminal window and run this from command-line: open ~/Applications/Google\ Chrome.app/ –args –disable-web-security

Above info from:

http://documentumcookbook.wordpress.com/2012/03/13/disable-cross-domain-javascript-security-in-chrome-for-development/

PropertyWebBuilder
  • 1,286
  • 2
  • 12
  • 18
  • Why has this been voted down? I have had a situation similar to the one described in the question which was resolved by running chrome with web security disabled. The problem occurs when you are running a development server locally. Obviously you wouldn't leave chrome running with web security disabled always. – PropertyWebBuilder Jul 26 '13 at 20:50
  • this shouldn't be voted down since he explains the situation correctly :) – Dzung Nguyen Aug 11 '13 at 21:18
  • 6
    I did not do the vote-down, but from the answer it is not clear this a solution merely for development purposes. While this might solve the problem locally, one cannot expect your web visitors/extension users to do this. So I would clarify that in the answer. – nathanvda Aug 12 '13 at 07:34
  • 3
    No vote-down here either, but it used to be that the first instance of chrome run with a given flag caused all other instances to run the same way. Something to be *very* wary of. It's all too easy to forget and do some impromptu surfing. – dc5 Aug 14 '13 at 00:10
3

Just encountered with this issue in my rails application in production. A lot of answers here gave me hints and helped me to finally come to an answer that worked fine for me.

I am running Nginx and it was simple enough to just modify the my_app.conf file (where my_app is your app name). You can find this file in /etc/nginx/conf.d

If you do not have location / {} already you can just add it under server {}, then add add_header 'Access-Control-Allow-Origin' '*'; under location / {}.

The final format should look something like this:

server {
    server_name ...;
    listen ...;
    root ...;

    location / {
        add_header 'Access-Control-Allow-Origin' '*';
    }
}
H.B
  • 75
  • 1
  • 8
0

I arrived here looking for a CORS policy to allow everything/anything.

Here's what I used:

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "PUT",
            "POST",
            "GET",
            "DELETE",
            "HEAD"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": []
    }
]
stevec
  • 41,291
  • 27
  • 223
  • 311
-1

Try configuration at /config/application.rb:

config.middleware.insert_before 0, "Rack::Cors" do
  allow do
    origins '*'
    resource '*', :headers => :any, :methods => [:get, :post, :options, :delete, :put, :patch], credentials: true
  end
end
Leonardo Ostan
  • 180
  • 1
  • 6
-4

Use VSC or any other editor that has Live server, it will give you a proxy that will allow you to use GET or FETCH

David Buck
  • 3,752
  • 35
  • 31
  • 35
Ayo crescent
  • 11
  • 1