johan--/your_controller.rb

## your_controller.rb
class YourController < ApplicationController
  before_filter :cors_preflight_check, only: [:settings]
  after_filter :cors_set_access_control_headers, only: [:settings]

  def settings
    # YOUR CODE TO GET CLIENT'S WIDGET SETTINGS HERE
  end

  def cors_set_access_control_headers
    headers['Access-Control-Allow-Origin'] = '*'
    headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, OPTIONS'
    headers['Access-Control-Allow-Headers'] = 'Origin, Content-Type, Accept, Authorization, Token'
    headers['Access-Control-Max-Age'] = "1728000"
  end

  def cors_preflight_check
    if request.method == 'OPTIONS'
      headers['Access-Control-Allow-Origin'] = '*'
      headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, OPTIONS'
      headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-Prototype-Version, Token'
      headers['Access-Control-Max-Age'] = '1728000'

      render :text => '', :content_type => 'text/plain'
    end
  end
end
	class YourController < ApplicationController
	before_filter :cors_preflight_check, only: [:settings]
	after_filter :cors_set_access_control_headers, only: [:settings]

	def settings
	# YOUR CODE TO GET CLIENT'S WIDGET SETTINGS HERE
	end

	def cors_set_access_control_headers
	headers['Access-Control-Allow-Origin'] = '*'
	headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, OPTIONS'
	headers['Access-Control-Allow-Headers'] = 'Origin, Content-Type, Accept, Authorization, Token'
	headers['Access-Control-Max-Age'] = "1728000"
	end

	def cors_preflight_check
	if request.method == 'OPTIONS'
	headers['Access-Control-Allow-Origin'] = '*'
	headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, OPTIONS'
	headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-Prototype-Version, Token'
	headers['Access-Control-Max-Age'] = '1728000'

	render :text => '', :content_type => 'text/plain'
	end
	end
	end