We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I have a single app. I want to accept same-origin requests on /foo and cross-origin requests on /bar.
/foo
/bar
If I do this:
app.use Rack::CorsGateOriginProcessor app.use Rack::Cors do allow do resource /bar, credentials: true, methods: :any end end Rack::CorsGate
Then env['rack.cors'] will be a miss for requests to /foo. That, in turn, will lead to Rack::CorsGate returning a 403.
env['rack.cors']
Rack::CorsGate
Shouldn't the logic be more like
def is_allowed(env, origin, method) return true if @allow_safe && ['GET', 'HEAD'].include?(method.upcase) return true if !@strict && origin.nil? return true if same_origin_request?(env) # CorsGate doesn't apply to same-origin requests env['rack.cors'].hit? end
Or am I completely missing how this is supposed to work?
The text was updated successfully, but these errors were encountered:
Or -- and this is closer to my real use-case -- I want to allow same-origin and cross-origin requests to the same resources:
app.use Rack::Cors do allow do origins do |origin, env| origin == 'www.example.com' && Rack::Request.new(env).host == 'api.example.com' end resource /api/*, credentials: true, methods: :any end end
I wouldn't want "CORS" requests from www to www. Nor would I want Rack::CorsGate to block those.
www
Sorry, something went wrong.
A related problem: if the application also serves HTML traffic, Rack::CorsGateOriginProcessor will probably do the wrong thing. Example:
Rack::CorsGateOriginProcessor
https://my-search-engine.com
My Site
https://mysite.example.com
GET https://mysite.example.com
Referer: my-search-engine.com
Origin: my-search-engine.com
Rack::Cors
my-search-engine.com
There are a few ways to get around this. One is to wrap Rack::CorsGate in a middleware that checks whether the request is an API request:
class CORSAPIGate API_PATHS = %r{^/api/} def intialize(app) @bare_app = app @cors_app = Rack::CorsGate.new(app) end def call(env) request = Rack::Request.new(env) @req.path =~ API_PATHS ? @cors_app.call(env) : @bare_app.call(env) end end
No branches or pull requests
I have a single app. I want to accept same-origin requests on
/foo
and cross-origin requests on/bar
.If I do this:
Then
env['rack.cors']
will be a miss for requests to/foo
. That, in turn, will lead toRack::CorsGate
returning a 403.Shouldn't the logic be more like
Or am I completely missing how this is supposed to work?
The text was updated successfully, but these errors were encountered: