CORS with Rails

Cross-origin resource sharing (CORS) With Rails Qing Wu @wiserﬁrst

Why we need it API service on api.example.com Main site
(front end) on www.example.com Make Ajax requests from the front end

Oops…

Same-origin policy "Cross-domain" Ajax requests are forbidden Prevent XSS and
other security issues Ref: Same-origin policy on Wikipedia

The brick walls are there for a reason. The brick
walls are not there to keep us out. The brick walls are there to give us a chance to show how badly we want something. Because the brick walls are there to stop the people who don’t want it badly enough. They’re there to stop the other people. — Randy Pausch, The Last Lecture

Cross-origin resource sharing 1. Browser send OPTIONS request with Origin
header (http://www.example.com) 2. The server respond with Access-Control- Allow-Origin header 3. If match, continue with actual request; otherwise no request is made Ref: CORS on Wikipedia

CORS with Rails Respond to the OPTIONS requests to every
API endpoints Set appropriate headers (Origin, methods, headers) as needed

Set the route namespace :api do resources :movies, :users #
for the preﬂight request. Last route under /api match "*path" => "base#preﬂight_check", via: [:options] end

Set headers for requests # Api::BaseController before_action :authenticate, :except =>
[:preﬂight_check] after_action :cors_set_access_control_headers def preﬂight_check if request.method == 'OPTIONS' render :text => '', :content_type => 'text/plain' end end

Set headers for requests def cors_set_access_control_headers headers['Access-Control-Allow-Origin'] = 'http://www.example.com' headers['Access-Control-Allow-Methods']
= 'POST, PATCH, DELETE, OPTIONS' headers['Access-Control-Allow-Headers'] = 'X-MYCUSTOM-HEADER' headers['Access-Control-Max-Age'] = '10' # in seconds end

References StackOverﬂow answer: Allow anything through CORS Policy Gist: CORS
in Rails 4 APIs Rack Middleware: Rack::Cors

My implementation https://gist.github.com/wiserﬁrst/ db902e58ccd756ccc019 Or https://goo.gl/TSXncO

Alternatives to CORS Same origin (not always feasible) JSONP (limited
to GET; works on legacy browsers) Cross-document messaging

Any Questions?

CORS with Rails

CORS with Rails

Wu Qing

More Decks by Wu Qing

Other Decks in Programming

Featured

Transcript

Cross-origin resource sharing (CORS) With Rails Qing Wu @wiserﬁrst

Why we need it API service on api.example.com Main site

Oops…

Same-origin policy "Cross-domain" Ajax requests are forbidden Prevent XSS and

The brick walls are there for a reason. The brick

Cross-origin resource sharing 1. Browser send OPTIONS request with Origin

CORS with Rails Respond to the OPTIONS requests to every

Set the route namespace :api do resources :movies, :users #

Set headers for requests # Api::BaseController before_action :authenticate, :except =>

Set headers for requests def cors_set_access_control_headers headers['Access-Control-Allow-Origin'] = 'http://www.example.com' headers['Access-Control-Allow-Methods']

References StackOverﬂow answer: Allow anything through CORS Policy Gist: CORS

My implementation https://gist.github.com/wiserﬁrst/ db902e58ccd756ccc019 Or https://goo.gl/TSXncO

Alternatives to CORS Same origin (not always feasible) JSONP (limited

Any Questions?