34

I have written a small rails app to serve up content to another site via xmlhttprequests that will be operating from another domain (it will not be possible to get them running on the same server). I understand I will need to set access-control-allow-origin on my rails server to allow the requesting web page to access this material.

It seems fairly well documented how to do this with Apache and this is probably the server I will use once I deploy the site. While I am developing though I hope to just use webrick as I am used to doing with rails. Is there a way of configuring webrick to provide the appropriate http header within rails?

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
brad
  • 9,573
  • 12
  • 62
  • 89
  • what are "access-control-allow-origin"? for understanding webrick a bit better I found this a nice start: http://microjet.ath.cx/webrickguide/html/What_is_WEBrick.html – poseid Mar 29 '10 at 16:05
  • It's an http header that tells a browser that it's OK to access resources from that server if the requesting page is from a different domain. – brad Mar 30 '10 at 22:13

7 Answers7

79

Rails 4 (http://edgeguides.rubyonrails.org/security.html#default-headers)

In config/application.rb:

config.action_dispatch.default_headers.merge!({
  'Access-Control-Allow-Origin' => '*',
  'Access-Control-Request-Method' => '*'
})
lightswitch05
  • 9,058
  • 7
  • 52
  • 75
Jared Fine
  • 990
  • 1
  • 7
  • 4
14

Rails 3.1

class ApplicationController < ActionController::Base
  protect_from_forgery
  after_filter :set_access_control_headers

  def set_access_control_headers
    headers['Access-Control-Allow-Origin'] = '*'
    headers['Access-Control-Request-Method'] = '*'
  end
end
freemanoid
  • 14,592
  • 6
  • 54
  • 77
14

If you're on Rails 2 just add this to your application contoller.

before_filter :set_access

def set_access
  @response.headers["Access-Control-Allow-Origin"] = "*"
end

Obviously changing "*" to something a little less open would be a good idea.

thomasfedb
  • 5,990
  • 2
  • 37
  • 65
  • Wow, you dragged that question out of the bowels of history. Thanks (unfortunately I abandoned that project for other reasons some time ago but this is useful to have out there) – brad Jan 08 '11 at 01:18
  • 3
    perhaps rails 4? edit: rails 4 is below ;) http://stackoverflow.com/a/17815546/845717 – BradGreens Jun 18 '14 at 15:27
  • 1
    For Rails 4 (specific action): `response.headers["Access-Control-Allow-Origin"] = "*"` – Sean Huber Jul 07 '16 at 19:14
12

Rails 3.1 - using a controller after_filter did not work for me so I added a custom middleware instead:

In app/middleware/cors_middleware.rb:

# For icons to work in Firefox with CDN
class CorsMiddleware
  def initialize(app)
    @app = app
  end

  def call(env)
    status, headers, body = @app.call(env)
    cors_headers = headers.merge({
      'Access-Control-Allow-Origin' => '*',
      'Access-Control-Request-Method' => '*'        
    })
    [status, cors_headers, body]
  end  
end

In config/application.rb:

require File.join(Rails.root, "app", "middleware", "cors_middleware")
config.middleware.insert_before ActionDispatch::Static, CorsMiddleware # Need it early in the chain to work for assets
Peter Marklund
  • 1,033
  • 10
  • 9
8

Rails 2.3.8

before_filter :allow_cross_domain_access
def allow_cross_domain_access
  response.headers["Access-Control-Allow-Origin"] = "*"
  response.headers["Access-Control-Allow-Methods"] = "*"
end
grosser
  • 14,707
  • 7
  • 57
  • 61
6

In case you want the solution as a Rack middleware gem: https://github.com/cyu/rack-cors

demisx
  • 7,217
  • 4
  • 45
  • 43
0

There are a couple of changes from the accepted answer that works for me. It will be easier to demonstrate the new answer than

skip_before_action :verify_authenticity_token
before_action :set_access


def set_access
   headers["Access-Control-Allow-Origin"] = "*"
end
gsumk
  • 809
  • 10
  • 15