Rails - Controller that does not check for CSRF token

Question

In my rails application, one of the controllers displays public statistics that I want websites hosted on different domains to pull data from. (app.donornest.com/stats.json)

My controller code is given below:

class StatsController < ApplicationController 
require 'ostruct'
skip_before_action :verify_authenticity_token
respond_to :html, :xml, :json, :csv

def index
    @stats = OpenStruct.new
    @stats.users = User.all.count
    @stats.organizations = Organization.all.count
    @stats.donors = Person.all.count
    respond_to do |format|
        format.json {render json: @stats}
    end
end
end

I thought the line skip_before_action :verify_authenticity_token would be enough, but when I try to make requests to this page from the console, I get the following error:

XMLHttpRequest cannot load http://app.donornest.com/stats.json. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access.

How can I fix this?

score 2 · Accepted Answer · edited May 23 '17 at 12:29

2

This doesn't look like a authenticity token error.

It looks like cross-domain access control error. Check this answer to enable access control headers in rails for CORS enabled clients :

Allow anything through CORS Policy

edited May 23 '17 at 12:29

Community

1
1

answered Aug 04 '15 at 17:57

Shaunak

17,377
5
53
84

Rails - Controller that does not check for CSRF token

1 Answers1