OPTIONS requests being blocked by CORB

README.md

Based on information found here on the chromium blog I found that options requests that render with head :ok are blocked by CORB because the resposne has headers of Content-Type: text/plain and X-Content-Type-Options: nosniff. The text/plain content type is a "trigger" for CORB checking and when Rails sets the contet type options to nosniff for this response CORB cannot inspect the response to see if it is safe.

TL;DR add response.headers.delete('X-Content-Type-Options') in your OPTIONS preflight handler

application_controller.rb

class ApplicationController < ActionController::Base
  before_action :enable_cors

  def options
    head :ok
  end
  
  private
  
  def enable_cors
    response.headers.merge!(
      'Access-Control-Allow-Origin' => request.headers['Origin'].presence || '',
      'Access-Control-Allow-Credentials' => 'true',
    )

    if request.method_symbol == :options
      response.headers.delete('X-Content-Type-Options') ## THIS IS THE IMPORTANT BIT
      response.headers.merge!(
        'Access-Control-Allow-Methods' => 'HEAD, GET, POST, PUT, PATCH, DELETE, OPTIONS',
        'Access-Control-Allow-Headers' => request.headers['Access-Control-Request-Headers'].presence || 'Origin, X-Requested-With, Content-Type, Accept',
        'Access-Control-Max-Age' => 14.days.to_s
      )
    end
  end
end

routes.rb

Rails.application.routes.draw do
  # ...
  
  # then at the very end
  match '*anything' => 'application#options', :via => [:options]
end