Allow anything through CORS Policy

Question

How can I disable cors  For some reason I wild carded the allowed origins and headers yet my ajax requests still complain that the origin was not allowed by my CORS policy      My applications controller    class ApplicationController  lt  ActionController  Base   protect from forgery   before filter  current user   cors preflight check   after filter  cors set access control headers    For all responses in this controller  return the CORS access control headers   def cors set access control headers   headers  Access-Control-Allow-Origin           headers  Access-Control-Allow-Methods      POST  GET  OPTIONS    headers  Access-Control-Allow-Headers           headers  Access-Control-Max-Age      1728000  end    If this is a preflight OPTIONS request  then short-circuit the   request  return only the necessary headers and return an empty   text plain   def cors preflight check   if request method     options     headers  Access-Control-Allow-Origin             headers  Access-Control-Allow-Methods      POST  GET  OPTIONS      headers  Access-Control-Allow-Headers             headers  Access-Control-Max-Age      1728000      render  text   gt       content type   gt   text plain    end end   private     get the user currently logged in   def current user      current user     User find session  user id   if session  user id    end   helper method  current user  end   routes      match   all    gt   application cors preflight check    constraints   gt     method   gt   OPTIONS      match   alert    gt   alerts create    match   alerts    gt   alerts get    match   login    gt   sessions create    match   logout    gt   sessions destroy    match   register    gt   users create    Edit---  I also tried      config middleware use Rack  Cors do       allow do         origins             resource                    headers   gt   any                methods   gt    get   post   delete   put   options        end     end   in application rb  --edit 2---  The problem is that Chrome Extensions may not support CORS I think  How can I fetch information bypassing CORS  How should I respond to the preflight check

User · Answer

Just encountered with this issue in my rails application in production. A lot of answers here gave me hints and helped me to finally come to an answer that worked fine for me.

I am running Nginx and it was simple enough to just modify the my_app.conf file (where my_app is your app name). You can find this file in /etc/nginx/conf.d

If you do not have location / {} already you can just add it under server {}, then add add_header 'Access-Control-Allow-Origin' '*'; under location / {}.

The final format should look something like this:

server {
    server_name ...;
    listen ...;
    root ...;

    location / {
        add_header 'Access-Control-Allow-Origin' '*';
    }
}

User · Answer

Simply you can add rack-cors gem https   rubygems org gems rack-cors versions 0 4 0  1st Step  add gem to your Gemfile     gem  rack-cors    require   gt   rack cors    and then save and run bundle install  2nd Step  update your config application rb file by adding this   config middleware insert before 0  Rack  Cors do       allow do         origins             resource       headers   gt   any   methods   gt    get   post   options        end     end   for more details you can go to https   github com cyu rack-cors Specailly if you don t use rails 5

User · Answer

Have a look at the rack-cors middleware  It will handle CORS headers in a configurable manner

User · Answer

I had issues  especially with Chrome as well  What you did looks essentially like what I did in my application  The only difference is that I am responding with a correct hostnames in my Origin CORS headers and not a wildcard  It seems to me that Chrome is picky with this    Switching between development and production is a pain  so I wrote this little function which helps me in development mode and also in production mode  All of the following things happen in my application controller rb unless otherwise noted  it might not be the best solution  but rack-cors didn t work for me either  I can t remember why   def add cors headers   origin   request headers  Origin     unless  not origin nil   and  origin     http   localhost  or origin starts with   http   localhost        origin    https   your production-site org    end   headers  Access-Control-Allow-Origin     origin   headers  Access-Control-Allow-Methods      POST  GET  OPTIONS  PUT  DELETE    allow headers   request headers  Access-Control-Request-Headers     if allow headers nil       shouldn t happen  but better be safe     allow headers    Origin  Authorization  Accept  Content-Type    end   headers  Access-Control-Allow-Headers     allow headers   headers  Access-Control-Allow-Credentials      true    headers  Access-Control-Max-Age      1728000  end   And then I have this little thing in my application controller rb because my site requires a login   before filter  add cors headers before filter  authenticate user  unless request method     OPTIONS     In my routes rb I also have this thing   match   path    controller   gt   application    action   gt   empty    constraints   gt    method   gt   OPTIONS     and this method looks like this   def empty   render  nothing   gt  true end

User · Answer

I ve your same requirements on a public API for which I used rails-api   I ve also set header in a before filter  It looks like this   headers  Access-Control-Allow-Origin         headers  Access-Control-Allow-Methods      POST  PUT  DELETE  GET  OPTIONS  headers  Access-Control-Request-Method         headers  Access-Control-Allow-Headers      Origin  X-Requested-With  Content-Type  Accept  Authorization    It seems you missed the Access-Control-Request-Method header

User · Answer

Use VSC or any other editor that has Live server  it will give you a proxy that will allow you to use GET or FETCH

User · Answer

I have had a similar problem before where it turned out to be the web brower  chrome in my case  that was the issue   If you are using chrome  try launching it so   For Windows   1  Create a shortcut to Chrome on your desktop   Right-click on the shortcut and choose Properties  then switch to    Shortcut    tab   2  In the    Target    field  append the following      args    disable-web-security  For Mac  Open a terminal window and run this from command-line  open   Applications Google  Chrome app     args    disable-web-security  Above info from   http   documentumcookbook wordpress com 2012 03 13 disable-cross-domain-javascript-security-in-chrome-for-development

User · Answer

Try configuration at  config application rb   config middleware insert before 0   Rack  Cors  do   allow do     origins         resource       headers   gt   any   methods   gt    get   post   options   delete   put   patch   credentials  true   end end

[ruby-on-rails] Allow anything through CORS Policy

Examples related to ruby-on-rails

Examples related to cors