5

In my Rails app, I set CORS to allow http://someurl.com. What is the syntax for allowing multiple domains?

My current config in application.rb

    config.action_dispatch.default_headers = {
        'X-Frame-Options' => 'ALLOWALL',
        'Access-Control-Allow-Origin' => 'http://someurl.com', # How can I add "anotherurl.com" to this list?
        'Access-Control-Allow-Credentials' => 'true',
        'Access-Control-Allow-Methods' => 'POST GET'
    }

The syntax is not mentioned in the guides: http://edgeguides.rubyonrails.org/configuring.html

Don P
  • 60,113
  • 114
  • 300
  • 432
  • Related. This answer doesn't use Rails, but the technique is the same: http://stackoverflow.com/questions/17323350/iis-access-control-allow-origin-with-multiple-domains/17329532#17329532 – monsur Apr 06 '14 at 03:43
  • Hmm that's interesting - I would've figured we'd easily support multiple origins. What is the logic for only allowing one? (Usually there is a good reason for this stuff) – Don P Apr 06 '14 at 03:46
  • Also, do you know the technique for this in Rails 4? – Don P Apr 06 '14 at 03:47
  • 3
    you probably have to add it inside the application controller, and depenend on what origin is sent by the client just add it dynamically to the Access-Ctrl-Allow-Origin. Yihang did that: http://www.yihangho.com/rails-cross-origin-resource-sharing/ – sp33c Sep 23 '14 at 08:51
  • ActionDispatch just merges together your headers as a hash, it does no intelligent processing: https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/http/response.rb#L128 This gem https://github.com/cyu/rack-cors works with Rails as a Rack middleware and will dynamically rewrite your headers allowing for multiple origins. – Matt Garrison Jul 30 '15 at 22:05
  • Check out this answer https://stackoverflow.com/questions/41589352/ruby-on-rails-rack-cors-multiple-origins-with-diffrenet-resources – Krishna S Dec 29 '18 at 08:57

0 Answers0