Enable CORS for GET and OPTIONS requests

Gemfile

@@ -11,6 +11,7 @@ gem 'net-http-persistent'
 gem 'airbrake'
 gem 'rack-contrib'
 gem 'jbuilder'
+gem 'rack-cors'
 
 gem 'us_states', :git => 'git://github.com/GSA/us_states.git'
 

Gemfile.lock

@@ -94,6 +94,7 @@ GEM
       rack (>= 0.4)
     rack-contrib (1.1.0)
       rack (>= 0.9.1)
+    rack-cors (0.3.1)
     rack-ssl (1.3.3)
       rack
     rack-test (0.6.2)
@@ -189,6 +190,7 @@ DEPENDENCIES
   nokogiri
   oj
   rack-contrib
+  rack-cors
   rails (= 3.2.13)
   rails-api
   rspec

config/application.rb

@@ -24,5 +24,11 @@ class Application < Rails::Application
 
     config.middleware.use Rack::JSONP
 
+    config.middleware.insert_before 0, "Rack::Cors" do
+      allow do
+        origins '*'
+        resource '*', headers: :any, methods: [:get, :options]
+      end
+    end
   end
 end

spec/cors_spec.rb

@@ -0,0 +1,34 @@
+require 'spec_helper'
+
+class DummyController < ApplicationController
+  def show
+    render text: 'text'
+  end
+end
+
+describe DummyController, type: :request do
+  describe '#show' do
+    before do
+      Rails.application.routes.draw do
+        match '/show' => 'dummy#show'
+      end
+
+      get 'show', nil, { 'HTTP_ORIGIN' => 'http://www.example.com' }
+    end
+
+    after do
+      Rails.application.reload_routes!
+    end
+
+    it 'should respond with an "Access-Control-Allow-Origin" header' do
+      expect(headers.keys).to include('Access-Control-Allow-Origin')
+    end
+
+    %w[GET OPTIONS].each do |verb|
+      it "should respond with a 'Access-Control-Allow-Methods' header allowing #{verb}" do
+        allowed_methods = headers['Access-Control-Allow-Methods'].split(', ')
+        expect(allowed_methods).to include(verb)
+      end
+    end
+  end
+end