In order to bypass CORS issues, I have inserted a regular expression to catch all incoming urls (the first 6 digits can vary). However this is only functioning when the regexp is taken out, despite the Rack::Cors documentation indicating this is possible. What steps can I take to resolve this issue? What am I not thinking here that could be a potential issue?
Working:
config.middleware.insert_before 0, Rack::Cors do
allow do
origins %w[100200.apps.zdusercontent.com 222334.apps.zdusercontent.com ]
resource '*', headers: :any, methods: %i[get post head]
end
Not Working:
config.middleware.insert_before 0, Rack::Cors do
allow do
origins %w[/\Ahttps:\/\/[0-9]{1,6}\.apps\.zdusercontent\.com\z/]
resource '*', headers: :any, methods: %i[get post head]
end
Error:
Failed to load https://100200.app.zdusercontent.com: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Why are you passing array to origins when you are using regex? Can you try like this?
config.middleware.insert_before 0, Rack::Cors do
allow do
origins /\Ahttps:\/\/[0-9]{1,6}\.apps\.zdusercontent\.com\z/
resource '*', headers: :any, methods: %i[get post head]
end
end
If you are using Rails 6 and above, check if you need to add hosts in application.rb file too.
Related
This question already has an answer here:
CORS Error: “requests are only supported for protocol schemes: http…” etc
(1 answer)
Closed 2 years ago.
I have a react app running on localhost:3001 and a rails 6 api backend on localhost:3000
I keep getting cors errors when I post from react to rails. The rails app has Rack Cors.
I've tried adding this to cors.rb in the initializers folder.
Rails.application.config.middleware.insert_before 0, Rack::Cors do
allow do
origins '*'
resource '*', headers: :any, methods: :any
end
end
It didn't work, I also tried to add it to application.rb and config.ru. Noting has worked, and I am confused.
allow do
origins '*'
resource '*', :headers => :any, :methods => :any
end
if this will not work try putting
origins 'localhost:3001'
Hope it helps
I have problem After google cache my AMP page. I am implementing amp page with rails 5. Using rake-cors gem for cross-origin. Normally page working fine but after the cache is shown console error.
Error:
The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'. Origin 'https://www-myurl-in.cdn.ampproject.org' is therefore not allowed access.
config/application.rb
config.middleware.insert_before 0, Rack::Cors do
allow do
origins 'https://www-myurl-in.cdn.ampproject.org'
resource '*', :headers => :any, :methods => [:get, :post, :options]
end
end
I don't know where I change in my code, Please help me.
After modifying Response Header its working fine.
response.headers['AMP-Redirect-To'] = request.protocol+request.host_with_port+url
response.headers['Access-Control-Expose-Headers'] = 'AMP-Redirect-To, AMP-Access-Control-Allow-Source-Origin'
response.headers['AMP-Access-Control-Allow-Source-Origin'] = params[:__amp_source_origin]
I have an Rails 5 API project and I'm using rack-cors.
Situation:
I have some static JSON files in public/files folder, like this:
{
"example": "123456"
...
}
I can access them perfectly (from Angular client) in development, but it doesn't work in production.
In production, I'm getting the common error:
XMLHttpRequest cannot load
https://myhost.com/files/my_file.json. No
'Access-Control-Allow-Origin' header is present on the requested
resource.
The most stranger thing is that I can access the url (https://myhost.com/files/my_file.json) manually in browser without any problems.
Actual configuration:
config/initializers/cors.rb:
Rails.application.config.middleware.insert_before 0, Rack::Cors do
allow do
origins my_origins
resource '*',
expose: ['awesome_token'],
headers: :any,
methods: %i[delete get head options patch post put]
end
end
Possible configuration:
So after some research, I found the following:
environments/production.rb:
# Added the following
config.public_file_server.enabled = true
cors.rb:
Rails.application.config.middleware.insert_before 0, Rack::Cors do
allow do
origins my_origins
resource '*',
expose: ['awesome_token'],
headers: :any,
methods: %i[delete get head options patch post put]
end
end
# Added the following
Rails.application.config.middleware.insert_before ActionDispatch::Static, Rack::Cors do
allow do
origins '*'
resource '*',
headers: :any,
methods: %i[delete get head options patch post put]
end
end
But it make absolutely no difference.
So, my question is: Is there something that I'm missing? What's wrong?
PS: Every request is working fine, the problem is with this static JSON files in public/files folder (in production build).
I'm building an app with Rails 5 API. Currently, anyone sending request to my rails server can receive response.
I want to process only those requests whose origin is mydomain.com
How can I do so?
I believe you'll want to implement CORS on your API.
Simply add rack-cors gem.
And add:
#config/application.rb
config.middleware.insert_before 0, Rack::Cors do
allow do
origins 'mydomain.com' resource '*', :headers => :any, :methods => [:get, :post, :options]
end
end
Please read carefully its documentation
You'll find very useful information there.
I am out of ideas. I made a small app for a friend who is using it in a school. As long as it is on non-school internet, it works fine. At school, though, there are two buttons that don't work. They both are making an ajax request to a different controller. They give a no access-control-allow-origin header error. I have tried every fix that I can find, and nothing will work. I am out of ideas. The current iteration involves the rack-cors gem, which I have below. I have also tried the fixes at
CORS issue: Getting error "No 'Access-Control-Allow-Origin' header is present" when it actually is, XMLHttpRequest No 'Access-Control-Allow-Origin' header is present on the requested resource, http://www.yihangho.com/rails-cross-origin-resource-sharing/, and http://leopard.in.ua/2012/07/08/using-cors-with-rails/. Is there anything else I can do?
config.ru
require 'rack/cors'
use Rack::Cors do
allow do
origins '*'
resource '*',
:headers => :any,
:methods => [:get, :post, :delete, :put, :options, :patch]
end
end
application.rb
config.middleware.insert_before 0, "Rack::Cors" do
allow do
origins '*'
resource '*', headers: :any, methods: [:get, :post, :patch, :options, :put]
end
end
CORS is designed to prevent cross domain XML requests.
I'm not sure as to the specific reasons for this, but the short of it is that if you try and hit an external domain with Ajax (without CORS permissions granted), it will be denied.
As long as it is on non-school internet, it works fine
Yep, because the "domain" will be considered "local" Sorry I misread that as "Intranet".
This will depend on the server you're accessing - you need to make sure the server has CORS enabled.
I've dealt with a similar issue to you before.
You've done the right thing by using rack-cors:
#config/application.rb
config.middleware.insert_before 0, "Rack::Cors" do
allow do
origins '*' #-> has to be "*" or specific
resource '*', headers: :any, methods: [:get, :post, :options]
end
end
If you're using this (remember, you have to restart your server to get it working), it should work.
The main considerations for CORS are the origin and resource - they either have to be "*" (all), or explicitly defined (IE google.com or something).
In your case, allowing them "all" should be okay to test - you'll then need to ensure you have the specific domain defined.