New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rails 5.0.0 - Access-Control-Allow-Origin #125

Open
vlbgomes opened this Issue Sep 16, 2016 · 6 comments

Comments

Projects
None yet
7 participants
@vlbgomes

vlbgomes commented Sep 16, 2016

Hello,

I run rails 5.0 on heroku and i've followed all steps but the following error persists:

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://kabrabom.herokuapp.com' is therefore not allowed access.

File config.ru:

use Rack::Cors do
  allow do
    origins 'localhost:3000', '127.0.0.1:3000',
            /\Ahttp:\/\/192\.168\.0\.\d{1,3}(:\d+)?\z/
    resource '/file/list_all/', :headers => 'x-domain-token'
    resource '/file/at/*',
        :methods => [:get, :post, :delete, :put, :patch, :options, :head],
        :headers => 'x-domain-token',
        :expose  => ['Some-Custom-Response-Header'],
        :max_age => 600

  end
  allow do
    origins '*'
    resource '/public/*', :headers => :any, :methods => :get
  end
end

File config/application.rb:

config.middleware.insert_before 0, Rack::Cors do
      allow do
        origins '*'
        resource '*', :headers => :any, :methods => [:get, :post, :options]
      end
    end

Middleware output:

use Rack::Cors
use Rack::Sendfile
use ActionDispatch::Static
use ActionDispatch::Executor
use ActiveSupport::Cache::Strategy::LocalCache::Middleware
use Rack::Runtime
use Rack::MethodOverride
use ActionDispatch::RequestId
use Rails::Rack::Logger
use ActionDispatch::ShowExceptions
use ActionDispatch::DebugExceptions
use ActionDispatch::RemoteIp
use ActionDispatch::Callbacks
use ActionDispatch::Cookies
use ActionDispatch::Session::CookieStore
use ActionDispatch::Flash
use Rack::Head
use Rack::ConditionalGet
use Rack::ETag
use Warden::Manager
run Kabrabom::Application.routes

Postman's plugin results:

Accept:text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
X-DevTools-Emulate-Network-Conditions-Client-Id:747d2432-8d59-43e3-aa3e-62baac1833ca,747d2432-8d59-43e3-aa3e-62baac1833ca
Origin:http://kabrabom.herokuapp.com
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Referer:http://kabrabom.herokuapp.com/professional_professions/new?_sm_au_=iFVn48qbQPRVWLGM
Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4

Important: I am connected by my company's proxy.

I d really thankfull if you @cyu can help me.

Thanks!!!

@vlbgomes vlbgomes changed the title from Rails 5 - to Rails 5.0.0 - Access-Control-Allow-Origin Sep 16, 2016

@galettan

This comment has been minimized.

Show comment
Hide comment
@galettan

galettan Nov 8, 2016

Ok do you have any update on this question ?

I'm having the same issue right now :-)

galettan commented Nov 8, 2016

Ok do you have any update on this question ?

I'm having the same issue right now :-)

@so77id

This comment has been minimized.

Show comment
Hide comment
@so77id

so77id Dec 15, 2016

Any response to this problem? :'(

so77id commented Dec 15, 2016

Any response to this problem? :'(

@corps

This comment has been minimized.

Show comment
Hide comment
@corps

corps Feb 2, 2017

I also ran into several problems configuring cors, but in the end it was not rack-cors, but my configuration that was wrong. CORs configuration is difficult because it is precise; if Access-Control-Allow-Origin is not being returned it's because your request did not match your configuration /precisely/.

Looking at your config.ru, I can already guess your problem:

resource '/file/list_all/', :headers => 'x-domain-token'
    resource '/file/at/*',
        :methods => [:get, :post, :delete, :put, :patch, :options, :head],
        :headers => 'x-domain-token',
        :expose  => ['Some-Custom-Response-Header'],
        :max_age => 600

First try setting :headers to :any. I bet you are setting the Content-Type of your requests, right? Because if you are, and you don't specify that in headers, it won't match the request, and thus Access-Control-Allow-Origin will not be returned.

My suggested strategy: start from the absolutely most laxed settings (match all origins, match all headers, etc), and one by one make changes to the settings to restrict. When something doesn't work, you'll need you made a mistake when the request starts to fail.

corps commented Feb 2, 2017

I also ran into several problems configuring cors, but in the end it was not rack-cors, but my configuration that was wrong. CORs configuration is difficult because it is precise; if Access-Control-Allow-Origin is not being returned it's because your request did not match your configuration /precisely/.

Looking at your config.ru, I can already guess your problem:

resource '/file/list_all/', :headers => 'x-domain-token'
    resource '/file/at/*',
        :methods => [:get, :post, :delete, :put, :patch, :options, :head],
        :headers => 'x-domain-token',
        :expose  => ['Some-Custom-Response-Header'],
        :max_age => 600

First try setting :headers to :any. I bet you are setting the Content-Type of your requests, right? Because if you are, and you don't specify that in headers, it won't match the request, and thus Access-Control-Allow-Origin will not be returned.

My suggested strategy: start from the absolutely most laxed settings (match all origins, match all headers, etc), and one by one make changes to the settings to restrict. When something doesn't work, you'll need you made a mistake when the request starts to fail.

@woohoou

This comment has been minimized.

Show comment
Hide comment
@woohoou

woohoou Jun 9, 2017

any news?

woohoou commented Jun 9, 2017

any news?

@cyu

This comment has been minimized.

Show comment
Hide comment
@cyu

cyu Jul 15, 2017

Owner

@vlbgomes What URL are you trying to access? I'm guessing since http://kabrabom.herokuapp.com isn't in the first resource set that you're trying to access the /public/ resources right?

Owner

cyu commented Jul 15, 2017

@vlbgomes What URL are you trying to access? I'm guessing since http://kabrabom.herokuapp.com isn't in the first resource set that you're trying to access the /public/ resources right?

@JerryArns

This comment has been minimized.

Show comment
Hide comment
@JerryArns

JerryArns Dec 9, 2017

Im having trouble with sub domains, i.e. (staging.myapp.com), origins are not being accepted by rack cors.

JerryArns commented Dec 9, 2017

Im having trouble with sub domains, i.e. (staging.myapp.com), origins are not being accepted by rack cors.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment