Enabling Cross Origin Resource (CORS) Sharing In Rails

08 Feb 2018
Posted by: Shreekant Patil
Category: Ruby on Rails
Comments: 0

How can my application share it's resources with another client? This is where the CORS, or Cross Origin Resource protocol comes in. CORS introduces a standard mechanism that can be used by all browsers for implementing cross-domain requests. The spec defines a set of headers that allow the browser and server to communicate about which requests are (and are not) allowed. CORS continues the spirit of the open web by bringing API access to all.

What is a cross-site request?

Cross-site HTTP requests are HTTP requests for resources from a different domain than the domain of the resource making the request. Such requests are subject to security-based restrictions. To handle this restrictions, and get around them in a secure manner, W3C developed CORS.

What is CORS?

The Cross-Origin Resource Sharing (CORS) mechanism provides a way for a server to support cross-site requests and enable the secure transfer of data across different domains/sites.

How can our Rails API utilize CORS?

When the API is not configured to respond to requests you will likely get the error “No ‘Access-Control-Allow-Origin’ header is present on the requested resource”. In other words, you won’t be able to call the API directly. So if you have your frontend and backend on different domains you’ll need to allow CORS (cross-origin HTTP request) with the ‘rack-cors gem’. This gem provides Rack CORS Middleware to our Rails app, allowing it to support cross-origin resource sharing.

Setting up Rack-CORS:

A few easy steps and we'll be ready to go!

Add the following to your Gemfile and bundle install:
```
gem 'rack-cors', :require=>'rack/cors’
```
Then run bundle install

Add your API module to config/application.rb and configure your Rack-CORS Middleware:

classApplication <Rails::Application

    # Rails 5

    config.middleware.insert_before 0, Rack::Corsdo

      allow do

        origins '*'

        resource '*', :headers=>:any, :methods=>[:get, :post, :options]

      end

    end



    # Rails 3/4

    config.middleware.insert_before 0, "Rack::Cors"do

      allow do

        origins '*'

        resource '*', :headers=>:any, :methods=>[:get, :post, :options]

      end

    end

end

With origins "*", we specify that our API will accept HTTP requests from any domain in the whole wide internet.
With resource "*", we specify that a cross-origin request can access any of our resources.

We then specify that a cross-origin request using any HTTP method will be accepted–although, if you recall, we defined our Graduates class inside our API module to respond to only requests for all grads or just one grad.

Tags:

Blog