Rails: where to enable Access-Control-Allow-Origin

Question

I'm trying to load a link in my coffeescript file like so:

$.ajax hobby.link,
  type: 'GET'
  dataType: 'html'
  error: (jqXHR, textStatus, errorThrown) ->
    console.log "AJAX Error"
  success: (data, textStatus, jqXHR) ->
    console.log "Successful AJAX call"

and have installed

gem 'rack-cors', :require => 'rack/cors'

and added

config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins '*'
    resource '*', :headers => :any, :methods => [:get, :post, :options]
  end
end

to my application.rb, but everytime I get

XMLHttpRequest cannot load http://www.example.com/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.

What else do I need to do to make these loads work?

Note that I'm currently performing that ajax call to three different links in a row.

`cannot load http://www.example.com/` are you sure you're querying `localhost:3000` with ajax? — Amin Shah Gilani, Oct 12 '16 at 22:22
@amingilani could you elaborate? I'm not sure what you're asking me. — rigdonmr, Oct 12 '16 at 22:25
The error above says `XMLHttpRequest cannot load http://www.example.com/`, check your ajax code to see if you've got `example.com` hardcoded in there. — Amin Shah Gilani, Oct 12 '16 at 22:26
I just put that link in as an example. The actual links I'm trying to load are other third-party URLs too — rigdonmr, Oct 12 '16 at 22:28

score 1 · Accepted Answer · answered Oct 13 '16 at 09:02

Rack::Cors deals with allowing or denying CORS for your own website and domain. It cannot affect the CORS configuration for any other domain.

For example, your website might be http://example.com, and you're trying to send an AJAX request to http://example.net. Since example.net is not under your control, you don't control its CORS settings, and neither does Rack::Cors. This means that if example.net has disallowed AJAX requests, you can't do anything about it.

Talk to the administrator of the service you're trying to call, and see if you can persuade them to allow AJAX requests (at least from your domain).

score 0 · Answer 2 · edited May 23 '17 at 11:48

0

The error code suggests that the 3rd party site you're trying to load doesn't allow requests from outside their own domain. It isn't a problem with your application, they disallow requests that don't originate from their own domain.

This is a measure against CSRF attacks. See this answer for an explanation of how CORS works.

edited May 23 '17 at 11:48

Community

1
1

answered Oct 12 '16 at 22:30

Amin Shah Gilani

8,675
5
37
79

these websites are public domains – rigdonmr Oct 12 '16 at 22:31
@rigdonmr yes, but they don't allow ajax requests that originate from outside their own domain. Basically, when your browser sends a request to siteA originating form a siteLocalhost, siteA gives your browser a whitelist of domains the request should have originated from, and siteLocalhost is not on it. See http://stackoverflow.com/a/21310171/3970701 – Amin Shah Gilani Oct 12 '16 at 22:35
so what situations does the tutorial in this link work in: https://www.html5rocks.com/en/tutorials/cors/ ? – rigdonmr Oct 12 '16 at 22:44
Which link? I think we should take this to chat. – Amin Shah Gilani Oct 12 '16 at 22:47
the link in my previous comment – rigdonmr Oct 12 '16 at 22:48
@rigdonmr please join me here: http://chat.stackoverflow.com/rooms/125550/discussion-for-40008944 – Amin Shah Gilani Oct 12 '16 at 22:51

Rails: where to enable Access-Control-Allow-Origin

2 Answers2