How to set access-control-allow-origin in webrick under rails?
Solution 1
If you're on Rails 2 just add this to your application contoller.
before_filter :set_access
def set_access
@response.headers["Access-Control-Allow-Origin"] = "*"
end
Obviously changing "*"
to something a little less open would be a good idea.
Solution 2
Rails 4 (http://edgeguides.rubyonrails.org/security.html#default-headers)
In config/application.rb:
config.action_dispatch.default_headers.merge!({
'Access-Control-Allow-Origin' => '*',
'Access-Control-Request-Method' => '*'
})
Solution 3
Rails 3.1
class ApplicationController < ActionController::Base
protect_from_forgery
after_filter :set_access_control_headers
def set_access_control_headers
headers['Access-Control-Allow-Origin'] = '*'
headers['Access-Control-Request-Method'] = '*'
end
end
Solution 4
Rails 3.1 - using a controller after_filter did not work for me so I added a custom middleware instead:
In app/middleware/cors_middleware.rb:
# For icons to work in Firefox with CDN
class CorsMiddleware
def initialize(app)
@app = app
end
def call(env)
status, headers, body = @app.call(env)
cors_headers = headers.merge({
'Access-Control-Allow-Origin' => '*',
'Access-Control-Request-Method' => '*'
})
[status, cors_headers, body]
end
end
In config/application.rb:
require File.join(Rails.root, "app", "middleware", "cors_middleware")
config.middleware.insert_before ActionDispatch::Static, CorsMiddleware # Need it early in the chain to work for assets
Solution 5
Rails 2.3.8
before_filter :allow_cross_domain_access
def allow_cross_domain_access
response.headers["Access-Control-Allow-Origin"] = "*"
response.headers["Access-Control-Allow-Methods"] = "*"
end
Comments
-
brad over 3 years
I have written a small rails app to serve up content to another site via xmlhttprequests that will be operating from another domain (it will not be possible to get them running on the same server). I understand I will need to set access-control-allow-origin on my rails server to allow the requesting web page to access this material.
It seems fairly well documented how to do this with Apache and this is probably the server I will use once I deploy the site. While I am developing though I hope to just use webrick as I am used to doing with rails. Is there a way of configuring webrick to provide the appropriate http header within rails?
-
brad over 13 yearsWow, you dragged that question out of the bowels of history. Thanks (unfortunately I abandoned that project for other reasons some time ago but this is useful to have out there)
-
Daniel Rikowski about 10 years+1 Be aware that the code above also removes the existing default headers (X-Frame-Options, X-XSS-Protection, X-Content-Type-Options)
-
Noz almost 10 years@DanielRikowski So it's no problem if we simply add those default headers back to the list, right?
-
Daniel Rikowski almost 10 years@Noz: That's correct. Either by adding them to the hash or by just merging in the additional headers above.
-
BradGreens almost 10 yearsperhaps rails 4? edit: rails 4 is below ;) stackoverflow.com/a/17815546/845717
-
lightswitch05 almost 10 yearsUpdated answer to not remove existing default headers
-
Aaron Gray over 8 yearsI believe enabling CORS to all domains like this has some significant security impacts. code.google.com/p/html5security/wiki/CrossOriginRequestSecurity
-
Sean Huber almost 8 yearsFor Rails 4 (specific action):
response.headers["Access-Control-Allow-Origin"] = "*"