I am upgrading Rails application from Rails 4.1.1 to Rails 5.1.4.
I have 2 applications, One is Web app(using for angular), and other is API app.
What I am doing, I am sending request from Web app(Rails with Angular) and fetching data from API app. But when I send request from Web app got error mentioned below:
Failed to load http://api.myapp:3001/user: Response to preflight
request doesn't pass access control check: The value of the
'Access-Control-Allow-Origin' header in the response must not be the
wildcard '*' when the request's credentials mode is 'include'. Origin
'http://myapp:3000' is therefore not allowed access. The credentials
mode of requests initiated by the XMLHttpRequest is controlled by the
withCredentials attribute.
http://myapp:3000' -> Web application and request sending to API
http://api.myapp:3001/user -> API application to send response
After google the issue, I found one gem called rack-cors.
In Web and API both application, I have added
config.middleware.insert_before 0, Rack::Cors do
allow do
origins '*'
resource '*', :headers => :any, :methods => [:get, :post, :options]
end
end
But still getting the issue. Please let me know.
Well, the message:
The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include']
Seems that you are sending credential information from your Angular application and the domain is not whitelisted. You could try, for test, set withCredentials to false, or permit the domain.
This could help you: http://50linesofco.de/post/2017-03-06-cors-a-guided-tour
Related
I built a Chrome extension that saves web content to my Rails app. Originally I was able to rely on the existing Rails/Devise user session to ensure content was being saved to the right user, as long as the CORS settings were opened up on my API controller (see code below). As long as the user was logged in, AJAX calls to my site from the Chrome extension were being authenticated correctly, no matter what site the extension was being used on.
However, in early 2020 Chrome introduced changes to how they they handle cross-site requests (see here, here, and here). Specifically, a cookie's SameSite attribute would now default to 'Lax' instead of 'None', and so to use a cross-site cookie, the cookie setting would need to be explicitly set to SameSite=None; Secure.
Rails' own user session cookie does not have the SameSite=None; Secure settings, and so using the Rails session to authenticate my Chrome extension's request was no longer an option.
My fix was to generate my own API authentication cookie whenever the user logged into the app, which did have the necessary SameSite=None; Secure applied. I was able to authenticate API calls from my Chrome extension using this cookie, and all was well.
And then in early September 2020 it suddenly stopped working. Rails no longer reads the cross-site cookie from Chrome extension requests. There's no error or warning, the value is just null.
API Controller:
# This gets called when user logs into app:
def set_cross_site_cookie
# NOTE: Won't work in dev because secure = true
cookies[:foo_cookie] = {
value: 'bar',
expires: 1.year.from_now,
same_site: :none, # Required in order to access from Chrome extension on different site
secure: true # Required in order to access from Chrome extension on different site
}
cookie = cookies[:foo_cookie]
render json: {cookie: cookie}
end
# This SHOULD work when called from our Chrome extension:
def get_cross_site_cookie
# Add headers to allow CORS requests
# SEE: http://stackoverflow.com/questions/298745/how-do-i-send-a-cross-domain-post-request-via-javascript
response.headers['Access-Control-Allow-Origin'] = '*'
response.headers['Access-Control-Request-Method'] = %w{GET POST OPTIONS}.join(",")
cookie = cookies[:foo_cookie]
render json: {cookie: cookie}
end
Rails 5, Rack 2.1
(NOTE: In order to set Rails cookies with option same_site: none you apparently need need to be on a rack version that's higher than 2.1.0 - SEE: https://github.com/rails/rails/pull/28297#issuecomment-600566751)
Anybody know what happened?
I still don't know why the cross-site cookies suddenly stopped working, but here's how I hacked around it:
The workaround was to use the Chrome extension cookie API to read my Rails API authentication cookies into Chrome's local storage. Since we can enable access to cookies of any specific site in the extension manifest, it actually doesn't matter whether they're cross-site cookies or not.
Once the API cookie would get read into storage, we could then pass it along as an auth token with every request, basically using it as a pseudo-cookie.
So the full flow is that the user clicks the extension button, the extension reads in the API authentication cookies based on the explicit cookie permissions it has for that domain, and if the cookie is missing or outdated, it forces the user to log in. If the cookie is valid, it is passed as an auth token in the params or headers of every API call.
SIDENOTE ON PRE-FLIGHT OPTIONS REQUESTS:
You may also have to deal with the OPTIONS pre-flight requests that will be sent with certain cross-site AJAX (I think it's only an issue with content-type JSON POSTS but don't quote me), as they'll trigger an ActionController::RoutingError (No route matches [OPTIONS]) error in Rails. The recommended answer was to use the rack-cors gem, which indeed solved the issue.
SEE:
Why is an OPTIONS request sent and can I disable it - Stack Overflow ***
How to respond to OPTIONS HTTP Method in rails-api - Stack Overflow
Rails Responds with 404 on CORS Preflight Options Request - Stack Overflow
Perform HTTP OPTIONS request from Rails 5 for CORS pre-flight or otherwise - Stack Overflow
I'm trying to enable OAuth via google. I've configured that callback URL but when trying to authenticate I get an error saying
The redirect URI in the request, https://example.com/users/auth/google_oauth2/callback, does not match the ones authorized for the OAuth client
I set Authorized JavaScript origins to https://example.com and the redirect to https://example.com/users/auth/google_oauth2/callback.
I'm using devise 4.3.3
I would aim to trace HTTPS messages so that you can see exactly what is being sent over the wire - use a tool such as Fiddler or Charles.
Standard messages for a Web UI look like those from my write up. Google messages will be equivalent.
Hopefully this approach will enable you to resolve your own problem. If not then please update your question with full HTTP message details
I am using react for the front end and Ruby on Rails for the back end. I am using version 2.6.1 for ruby on rails.
When I started my application I am getting an error saying...
"Access to fetch at 'http://localhost:3000/profile' from origin 'http://localhost:3001' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled."
I'm using a C9 AWS instance to run an API REST written in ruby on rails, and i'm consuming the resources from an Ionic App with simple http calls.
When i make a http request from the ionic app, the server response with this message:
Failed to load https://the_server.vfs.cloud9.us-east-2.amazonaws.com/resource: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8100' is therefore not allowed access. The response had HTTP status code 404.
How can I enable the CORS in the Cloud 9 instance ?
I have already enable the CORS in rails with the rack-cors gem
The call to https://the_server.vfs.cloud9.us-east-2.amazonaws.com/resource is being handled by a proxy. To allow CORS, you need to call the server directly. You can do that
by connecting to the server IP address, and opening the correct ports. It's described here: https://docs.aws.amazon.com/cloud9/latest/user-guide/app-preview.html?icmpid=docs_ac9_ide#app-preview-share
I have a problem with Heroku and my ReactJS application on the front-end side. I have RESTfull API with Ruby on Rails uploaded on the Heroku server ( to do some testings before I purchase actual hosting), and suddenly from today, i cannot use my API on the Heroku, due Privacy and SSL errors ( I didn't change or update anything on Heroku and the API). I got those errors on the browser :
I cannot find any solution online. Any suggestion?
You can use rack cors to enable CORS. Add this code to your config/application.rb
use Rack::Cors do
allow do
origins '*'
resource '*', headers: :any, methods: :any
end
end