Enabling Cross Origin Resource (CORS) Sharing In Rails

08 Feb 2018
0
Comments

Enabling Cross Origin Resource (CORS) Sharing In Rails

How can my application share it's resources with another client? This is where the CORS, or Cross Origin Resource protocol comes in. CORS introduces a standard mechanism that can be used by all browsers for implementing cross-domain requests. The spec defines a set of headers that allow the browser and server to communicate about which requests are (and are not) allowed. CORS continues the spirit of the open web by bringing API access to all.

What is a cross-site request?

Cross-site HTTP requests are HTTP requests for resources from a different domain than the domain of the resource making the request. Such requests are subject to security-based restrictions. To handle this restrictions, and get around them in a secure manner, W3C developed CORS.

What is CORS?

The Cross-Origin Resource Sharing (CORS) mechanism provides a way for a server to support cross-site requests and enable the secure transfer of data across different domains/sites.

How can our Rails API utilize CORS?

When the API is not configured to respond to requests you will likely get the error “No ‘Access-Control-Allow-Origin’ header is present on the requested resource”. In other words, you won’t be able to call the API directly. So if you have your frontend and backend on different domains you’ll need to allow CORS (cross-origin HTTP request) with the rack-cors gem. This gem provides Rack CORS Middleware to our Rails app, allowing it to support cross-origin resource sharing.

Setting up Rack-CORS:

A few easy steps and we'll be ready to go!
    1. Add the following to your Gemfile and bundle install:
      gem 'rack-cors', :require=>'rack/cors’
    2. Then run bundle install
    3. Add your API module to config/application.rb and configure your Rack-CORS Middleware:
      classApplication <Rails::Application
      
          # Rails 5
      
          config.middleware.insert_before 0, Rack::Corsdo
      
            allow do
      
              origins '*'
      
              resource '*', :headers=>:any, :methods=>[:get, :post, :options]
      
            end
      
          end
      
      
      
          # Rails 3/4
      
          config.middleware.insert_before 0, "Rack::Cors"do
      
            allow do
      
              origins '*'
      
              resource '*', :headers=>:any, :methods=>[:get, :post, :options]
      
            end
      
          end
      
      end
      
      
    4. With origins "*", we specify that our API will accept HTTP requests from any domain in the whole wide internet.
    5. With resource "*", we specify that a cross-origin request can access any of our resources.
    We then specify that a cross-origin request using any HTTP method will be accepted–although, if you recall, we defined our Graduates class inside our API module to respond to only requests for all grads or just one grad.



Leave a comment:

Recent Blogs
Contact-Us Contact-Us
Newsletter Newsletter