rack-cors failing on production build - ruby-on-rails

I have an Rails 5 API project and I'm using rack-cors.
Situation:
I have some static JSON files in public/files folder, like this:
{
"example": "123456"
...
}
I can access them perfectly (from Angular client) in development, but it doesn't work in production.
In production, I'm getting the common error:
XMLHttpRequest cannot load
https://myhost.com/files/my_file.json. No
'Access-Control-Allow-Origin' header is present on the requested
resource.
The most stranger thing is that I can access the url (https://myhost.com/files/my_file.json) manually in browser without any problems.
Actual configuration:
config/initializers/cors.rb:
Rails.application.config.middleware.insert_before 0, Rack::Cors do
allow do
origins my_origins
resource '*',
expose: ['awesome_token'],
headers: :any,
methods: %i[delete get head options patch post put]
end
end
Possible configuration:
So after some research, I found the following:
environments/production.rb:
# Added the following
config.public_file_server.enabled = true
cors.rb:
Rails.application.config.middleware.insert_before 0, Rack::Cors do
allow do
origins my_origins
resource '*',
expose: ['awesome_token'],
headers: :any,
methods: %i[delete get head options patch post put]
end
end
# Added the following
Rails.application.config.middleware.insert_before ActionDispatch::Static, Rack::Cors do
allow do
origins '*'
resource '*',
headers: :any,
methods: %i[delete get head options patch post put]
end
end
But it make absolutely no difference.
So, my question is: Is there something that I'm missing? What's wrong?
PS: Every request is working fine, the problem is with this static JSON files in public/files folder (in production build).

Related

Implementing a Regex solution in Rack CORS

In order to bypass CORS issues, I have inserted a regular expression to catch all incoming urls (the first 6 digits can vary). However this is only functioning when the regexp is taken out, despite the Rack::Cors documentation indicating this is possible. What steps can I take to resolve this issue? What am I not thinking here that could be a potential issue?
Working:
config.middleware.insert_before 0, Rack::Cors do
allow do
origins %w[100200.apps.zdusercontent.com 222334.apps.zdusercontent.com ]
resource '*', headers: :any, methods: %i[get post head]
end
Not Working:
config.middleware.insert_before 0, Rack::Cors do
allow do
origins %w[/\Ahttps:\/\/[0-9]{1,6}\.apps\.zdusercontent\.com\z/]
resource '*', headers: :any, methods: %i[get post head]
end
Error:
Failed to load https://100200.app.zdusercontent.com: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Why are you passing array to origins when you are using regex? Can you try like this?
config.middleware.insert_before 0, Rack::Cors do
allow do
origins /\Ahttps:\/\/[0-9]{1,6}\.apps\.zdusercontent\.com\z/
resource '*', headers: :any, methods: %i[get post head]
end
end
If you are using Rails 6 and above, check if you need to add hosts in application.rb file too.

Rails 6, React, Rack-Cors [duplicate]

This question already has an answer here:
CORS Error: “requests are only supported for protocol schemes: http…” etc
(1 answer)
Closed 2 years ago.
I have a react app running on localhost:3001 and a rails 6 api backend on localhost:3000
I keep getting cors errors when I post from react to rails. The rails app has Rack Cors.
I've tried adding this to cors.rb in the initializers folder.
Rails.application.config.middleware.insert_before 0, Rack::Cors do
allow do
origins '*'
resource '*', headers: :any, methods: :any
end
end
It didn't work, I also tried to add it to application.rb and config.ru. Noting has worked, and I am confused.
allow do
origins '*'
resource '*', :headers => :any, :methods => :any
end
if this will not work try putting
origins 'localhost:3001'
Hope it helps

AMP Access-Control-Allow-Credentials Error

I have problem After google cache my AMP page. I am implementing amp page with rails 5. Using rake-cors gem for cross-origin. Normally page working fine but after the cache is shown console error.
Error:
The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'. Origin 'https://www-myurl-in.cdn.ampproject.org' is therefore not allowed access.
config/application.rb
config.middleware.insert_before 0, Rack::Cors do
allow do
origins 'https://www-myurl-in.cdn.ampproject.org'
resource '*', :headers => :any, :methods => [:get, :post, :options]
end
end
I don't know where I change in my code, Please help me.
After modifying Response Header its working fine.
response.headers['AMP-Redirect-To'] = request.protocol+request.host_with_port+url
response.headers['Access-Control-Expose-Headers'] = 'AMP-Redirect-To, AMP-Access-Control-Allow-Source-Origin'
response.headers['AMP-Access-Control-Allow-Source-Origin'] = params[:__amp_source_origin]

Ruby on Rails - AJAX request not working (cross-origin), tried everything

(sorry for bad english)
I try to execute an ajax request but it doesn't work due to same-origin policy. My application is not deployed yet and I use Ruby on Rails 3.2.3 with Unicorn server.
The AJAX request is in an asset javascript file and I call it in a view. when I try to get the datas from the AJAX requests, the console says
"Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at [url]. This can be fixed by moving the resource to the same domain or enabling CORS."
I tried everything :
Use jsonp in ajax request : console.log said syntax error
Use rack cors, with making everything said on the readme (https://github.com/cyu/rack-cors), but it didn't work, still the same message in the console (restatring server or not)
Try some syntaxes for rack-cors said on every post about it in stack overflow I could find, I tried this :
application.rb :
config.middleware.insert_before ActionDispatch::Static, Rack::Cors do
allow do
origins '*'
resource '*', :headers => :any, :methods => [:get, :post, :options], expose: :location
end
but it didn't work, and I tried this in config.ru
use Rack::Cors do
# allow all origins in development
allow do
origins 'localhost:3000'
resource '*',
:headers => :any,
:methods => [:get, :post, :delete, :put, :options]
end
end
I tried this code with "origins 'localhost:3000'" ans with "origins '*'" but none of them worked, I didn't forgot the "require 'rack/cors'"
I am desperte, could you help me please ?
It is almost undoubtedly that you aren't defining the proper headers to allow access. The following walk-through should get you going:
http://dotnet-concept.com/Tip/2015/3/5798824/Cross-Origin-Request-Blocked-The-Same-Origin-Policy-disallows-reading-the-remote-resource-This-can-be-fixed-by-moving-the-resource-to-the-same-domain-or-enabling-CORS-
We had a similar situation that was resolved using rack-cors
Gemefile:
gem 'rack-cors', :require => 'rack/cors'
application.rb:
config.middleware.insert_before 0, "Rack::Cors" do
allow do
origins '*'
resource '*', :headers => :any, :methods => [:get, :post, :options]
end
end
Don't forget to restart your rails server!
EDIT:
It just occurred to me, that this will only work in production if you are using your app server as the web server as well. If you are using Nginx or Apache as your web server, then your static assets will be served from it. You will have to enable CORS on Nginx/Apache.

CORS issue using Grape API and Heroku

I have a read-only API and it works well locally with a Vagrant setup. Live on my Heroku app, every API request is denied due to a CORS error: "No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access."
In my API's base class, I have the following to set the headers:
module API
class Base < Grape::API
before do
headers['Access-Control-Allow-Origin'] = '*'
headers['Access-Control-Allow-Methods'] = 'GET, OPTIONS'
headers['Access-Control-Request-Method'] = '*'
headers['Access-Control-Allow-Headers'] = 'Origin, X-Requested-With, Content-Type, Accept, Authorization'
end
mount API::V1::Base
end
end
I suspect that this before call is not being fired—if I use a puts statement inside of it, that statement does not appear in my console with the rest of the output.
I am at a loss. Hopefully someone has some experience with this. Thank you.
Edit: I have also followed Grape's CORS instructions but get the same result.
Success. I used the rack-cors gem and the following:
#application.rb
config.middleware.use Rack::Cors do
allow do
origins '*'
# location of your API
resource '/api/*', :headers => :any, :methods => [:get, :post, :options, :put]
end
end
You get Access-Control-Allow-Origin error every time you made a request.
This is probably because your server API does not respond to OPTIONS requests with the headers required for CORS.
You can check it in the development console -> network tab if you are using Google Chrome.
It's interesting that some Javascript frameworks do make an OPTIONS request before a normal request is sent to the server.
Solution:
Modify your Gemfile to include 'rack-cors'.
Run bundle install
Modify your config.ru:
*if you get errors launching rails server, check your API namespace after 'run'
require 'rack/cors'
use Rack::Cors do
allow do
origins '*'
resource '*', headers: :any, methods: [:get, :post, :options, :put]
end
end
run API::V1::Base
Now you should see Grape handles all OPTIONS requests with the CORS headers.

Resources