Cross Origin post to Rails site

Question

I'm using the rack-cors gem with Rails: https://github.com/cyu/rack-cors

I need to whitelist ONE domain so that it will allow that domain through.

I would think that this would allow traffic from the whitelisted domain . I am making a POST request from https://reflective-basket.surge.sh/ to my rails app. (domain name modified for the sake of this post on stackoverflow)

However, POST requests will not go through. The destination Rails app says:

The page you were looking for doesn't exist.
You may have mistyped the address or the page may have moved.

If I remove the protect from forgery line from the application controller, (protect_from_forgery with: :exception), of course, the app allows all traffic through but this defeats the purpose of having a secure app.

I'm sure this is a common problem (needing a form on website A submit data to website B but only from a certain domain) but this just doesn't seem to work as I would have hoped. Any pointers? I'm open to making this work in any way that's possible.

What you're asking for is how to make API requests with forgery protection and this is simply impossible. You would have to perform a `GET` or `HEAD` request first, fetch the session info and then perform the actual `POST` request you need. I guess you can see why this makes no sense. This is why in API use cases CSRF is disabled. — Mike Szyndel, Feb 04 '18 at 20:22
`protect_from_forgery with: :exception, unless: :whitelisted_origin?`, create a method called `whitelisted_origin?` in `applicaiton_controller.rb` and check if `request.domain` is a whitelisted origin maybe? — Josh Brody, Feb 04 '18 at 20:29
Yes, you could do as @JoshBrody said but keep in mind that it doesn't provide any security and is easy to fake https://stackoverflow.com/questions/4566378/how-secure-is-http-origin — Mike Szyndel, Feb 04 '18 at 20:39

Cross Origin post to Rails site

0 Answers0