Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Ruby on Rails CORS Preflight Check
before_action :cors_set_access_control_headers
def cors_preflight_check
return unless request.method == 'OPTIONS'
cors_set_access_control_headers
render json: {}
end
protected
def cors_set_access_control_headers
response.headers['Access-Control-Allow-Origin'] = '*'
response.headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, PATCH, DELETE, OPTIONS'
response.headers['Access-Control-Allow-Headers'] = 'Origin, Content-Type, Accept, Authorization, Token, ' \
'Auth-Token, Email, X-User-Token, X-User-Email, x-xsrf-token'
response.headers['Access-Control-Max-Age'] = '1728000'
response.headers['Access-Control-Allow-Credentials'] = true
end
match '*all', controller: 'application', action: 'cors_preflight_check', via: [:options]
@betocattani

This comment has been minimized.

Copy link

@betocattani betocattani commented Nov 23, 2018

Nice my friend, thanks!

@dipunj

This comment has been minimized.

Copy link

@dipunj dipunj commented Aug 28, 2019

This is just so helpful. Thanks a lot man!

@danielpowell4

This comment has been minimized.

Copy link

@danielpowell4 danielpowell4 commented Oct 31, 2019

Per rails/rails#12374 render :text is deprecated

So for my use, which is a tad different than this gist, which I was rather thankful for

before_action :whitelist_cors

def whitelist_cors
  response.headers['Access-Control-Allow-Origin'] = allow_origin_header
  response.headers['Access-Control-Allow-Methods'] = 'POST, OPTIONS'
  response.headers['Access-Control-Allow-Headers'] = 'origin, content-type, accept'
  return render plain: '' if cors_preflight_check?
end

def cors_preflight_check?
  request.request_method == 'OPTIONS'
end

def allow_origin_header
  if public?
    '*'
  else
    # whitelist request.headers['origin'] or error
  end
end
@jpbalarini

This comment has been minimized.

Copy link
Owner Author

@jpbalarini jpbalarini commented Dec 19, 2019

@danielpowell4 updated the gist to remove the deprecated render :text. 👍

@alik78

This comment has been minimized.

Copy link

@alik78 alik78 commented Apr 7, 2020

If you are using rack-cors gem, you can just do this in config/initializers/cors.rb:

Rails.application.config.middleware.insert_before 0, Rack::Cors do
   allow do
       origins '*'
       resource '*',
             headers: :any,
             credentials: true,
             methods: [:get, :post, :put, :patch, :delete, :options, :head]
    end
 end
@fabien7337

This comment has been minimized.

Copy link

@fabien7337 fabien7337 commented Apr 28, 2020

If you are using rack-cors gem, you can just do this in config/initializers/cors.rb:

Rails.application.config.middleware.insert_before 0, Rack::Cors do
   allow do
       origins '*'
       resource '*',
             headers: :any,
             credentials: true,
             methods: [:get, :post, :put, :patch, :delete, :options, :head]
    end
 end

Nope because Rack-Cors never works as intended...

@christianaranda

This comment has been minimized.

Copy link

@christianaranda christianaranda commented Nov 19, 2021

To anyone still relying on this and the Medium post, the "correct" way to render the response is now head :no_content (notice there is no render).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment