Reputation: 2504
I'm designing a suite of api for my Rails website. I already write the api and they works on local, i testes them with RSpec and with OSX app "Rested".
Now I must handle the "CORS": all my api at the moment are only "GET" api, no post or patch.
I need to access my api from apps and from another domain that have to handle a content feed.
I'm not so familiar with CORS, I read that the best option is to use "Rack Cors Gem".
Rack-cors docs suggest to put this in application.rb
module YourApp
class Application < Rails::Application
# ...
config.middleware.insert_before 0, "Rack::Cors" do
allow do
origins '*'
resource '*', :headers => :any, :methods => [:get, :post, :options]
end
end
end
end
I'm afraid about security: I read something but I cannot understand why is dangerous to use '*'
In my case the api are under www.example.com/api/v1
Can I modify the rack-cors configuration just add cors to my api in this way?
module YourApp
class Application < Rails::Application
# ...
config.middleware.insert_before 0, "Rack::Cors" do
allow do
origins '*'
resource '\api\v1', :headers => :any, :methods => [:get, :options]
end
end
end
end
Upvotes: 0
Views: 1914
Reputation: 237
As i know, you can use the following way:
config.middleware.insert_before 0, "Rack::Cors" do
allow do
origins '*'
resource '/api/v1/*', :headers => :any, :methods => [:get, :options]
end
end
Upvotes: 0
Reputation: 23357
I wouldn't bother with the Rack::Cors gem. This is easy enough to do just in Rails, I think this is a case of "gem-itis". Yes, you're going to have to understand a bit about what CORS actually does to make sure you're doing what you want -- you're going to have to do that either way, with or without a gem. CORS is not too complicated, it will pay to read about it, perhaps here: http://enable-cors.org/server.html
If I understand right, you don't want to add CORS headers to every action (allowing cross-domain javascript access to every action), but just to certain actions? Which ones, how will they be identified?
Let's say you only have one action, index
in WidgetController that you want to add CORS to, and you only want to add it to 'json' type requests, not to html requests. Here's how you might do that. Add to your WidgetController code (at ./app/controllers/widget_controller.rb):
before_filter :add_cors_to_json, :only => :index
protected def add_cors_to_json
if request.format == "application/json"
# "*" to allow for any domain, or specify certain domains
response.headers["Access-Control-Allow-Origin"] = "*"
end
end
I don't think the Rack::CORS gem is giving you anything -- you still need to understand what's going on to make it do what you want, but now you need to understand the Rack::CORS gem too. Just do it in Rails.
Upvotes: 1