Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Ruby on Rails CORS Preflight Check
before_action :cors_set_access_control_headers
def cors_preflight_check
return unless request.method == 'OPTIONS'
cors_set_access_control_headers
render json: {}
end
protected
def cors_set_access_control_headers
response.headers['Access-Control-Allow-Origin'] = '*'
response.headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, PATCH, DELETE, OPTIONS'
response.headers['Access-Control-Allow-Headers'] = 'Origin, Content-Type, Accept, Authorization, Token, ' \
'Auth-Token, Email, X-User-Token, X-User-Email, x-xsrf-token'
response.headers['Access-Control-Max-Age'] = '1728000'
response.headers['Access-Control-Allow-Credentials'] = true
end
match '*all', controller: 'application', action: 'cors_preflight_check', via: [:options]
@betocattani

This comment has been minimized.

Copy link

betocattani commented Nov 23, 2018

Nice my friend, thanks!

@dipunj

This comment has been minimized.

Copy link

dipunj commented Aug 28, 2019

This is just so helpful. Thanks a lot man!

@danielpowell4

This comment has been minimized.

Copy link

danielpowell4 commented Oct 31, 2019

Per rails/rails#12374 render :text is deprecated

So for my use, which is a tad different than this gist, which I was rather thankful for

before_action :whitelist_cors

def whitelist_cors
  response.headers['Access-Control-Allow-Origin'] = allow_origin_header
  response.headers['Access-Control-Allow-Methods'] = 'POST, OPTIONS'
  response.headers['Access-Control-Allow-Headers'] = 'origin, content-type, accept'
  return render plain: '' if cors_preflight_check?
end

def cors_preflight_check?
  request.request_method == 'OPTIONS'
end

def allow_origin_header
  if public?
    '*'
  else
    # whitelist request.headers['origin'] or error
  end
end
@jpbalarini

This comment has been minimized.

Copy link
Owner Author

jpbalarini commented Dec 19, 2019

@danielpowell4 updated the gist to remove the deprecated render :text. 👍

@alik78

This comment has been minimized.

Copy link

alik78 commented Apr 7, 2020

If you are using rack-cors gem, you can just do this in config/initializers/cors.rb:

Rails.application.config.middleware.insert_before 0, Rack::Cors do
   allow do
       origins '*'
       resource '*',
             headers: :any,
             credentials: true,
             methods: [:get, :post, :put, :patch, :delete, :options, :head]
    end
 end
@fabien7337

This comment has been minimized.

Copy link

fabien7337 commented Apr 28, 2020

If you are using rack-cors gem, you can just do this in config/initializers/cors.rb:

Rails.application.config.middleware.insert_before 0, Rack::Cors do
   allow do
       origins '*'
       resource '*',
             headers: :any,
             credentials: true,
             methods: [:get, :post, :put, :patch, :delete, :options, :head]
    end
 end

Nope because Rack-Cors never works as intended...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.