Skip to content

Instantly share code, notes, and snippets.

@jpbalarini
Last active November 19, 2021 16:00
Show Gist options
  • Save jpbalarini/54a1aa22ebb261af9d8bfd9a24e811f0 to your computer and use it in GitHub Desktop.
Save jpbalarini/54a1aa22ebb261af9d8bfd9a24e811f0 to your computer and use it in GitHub Desktop.
Ruby on Rails CORS Preflight Check
before_action :cors_set_access_control_headers
def cors_preflight_check
return unless request.method == 'OPTIONS'
cors_set_access_control_headers
render json: {}
end
protected
def cors_set_access_control_headers
response.headers['Access-Control-Allow-Origin'] = '*'
response.headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, PATCH, DELETE, OPTIONS'
response.headers['Access-Control-Allow-Headers'] = 'Origin, Content-Type, Accept, Authorization, Token, ' \
'Auth-Token, Email, X-User-Token, X-User-Email, x-xsrf-token'
response.headers['Access-Control-Max-Age'] = '1728000'
response.headers['Access-Control-Allow-Credentials'] = true
end
match '*all', controller: 'application', action: 'cors_preflight_check', via: [:options]
@betocattani
Copy link

Nice my friend, thanks!

@dipunj
Copy link

dipunj commented Aug 28, 2019

This is just so helpful. Thanks a lot man!

@danielpowell4
Copy link

Per rails/rails#12374 render :text is deprecated

So for my use, which is a tad different than this gist, which I was rather thankful for

before_action :whitelist_cors

def whitelist_cors
  response.headers['Access-Control-Allow-Origin'] = allow_origin_header
  response.headers['Access-Control-Allow-Methods'] = 'POST, OPTIONS'
  response.headers['Access-Control-Allow-Headers'] = 'origin, content-type, accept'
  return render plain: '' if cors_preflight_check?
end

def cors_preflight_check?
  request.request_method == 'OPTIONS'
end

def allow_origin_header
  if public?
    '*'
  else
    # whitelist request.headers['origin'] or error
  end
end

@jpbalarini
Copy link
Author

jpbalarini commented Dec 19, 2019

@danielpowell4 updated the gist to remove the deprecated render :text. 👍

@alik78
Copy link

alik78 commented Apr 7, 2020

If you are using rack-cors gem, you can just do this in config/initializers/cors.rb:

Rails.application.config.middleware.insert_before 0, Rack::Cors do
   allow do
       origins '*'
       resource '*',
             headers: :any,
             credentials: true,
             methods: [:get, :post, :put, :patch, :delete, :options, :head]
    end
 end

@fabien7337
Copy link

If you are using rack-cors gem, you can just do this in config/initializers/cors.rb:

Rails.application.config.middleware.insert_before 0, Rack::Cors do
   allow do
       origins '*'
       resource '*',
             headers: :any,
             credentials: true,
             methods: [:get, :post, :put, :patch, :delete, :options, :head]
    end
 end

Nope because Rack-Cors never works as intended...

@christianaranda
Copy link

To anyone still relying on this and the Medium post, the "correct" way to render the response is now head :no_content (notice there is no render).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment