Roberto Pezzali
Roberto Pezzali

Reputation: 2504

Rails Api for mobile apps: how to fix CORS just for api?

I'm designing a suite of api for my Rails website. I already write the api and they works on local, i testes them with RSpec and with OSX app "Rested".

Now I must handle the "CORS": all my api at the moment are only "GET" api, no post or patch.

I need to access my api from apps and from another domain that have to handle a content feed.

I'm not so familiar with CORS, I read that the best option is to use "Rack Cors Gem".

Rack-cors docs suggest to put this in application.rb

module YourApp
  class Application < Rails::Application

    # ...

    config.middleware.insert_before 0, "Rack::Cors" do
      allow do
        origins '*'
        resource '*', :headers => :any, :methods => [:get, :post, :options]
      end
    end

  end
end

I'm afraid about security: I read something but I cannot understand why is dangerous to use '*'

In my case the api are under www.example.com/api/v1

Can I modify the rack-cors configuration just add cors to my api in this way?

module YourApp
  class Application < Rails::Application

    # ...

    config.middleware.insert_before 0, "Rack::Cors" do
      allow do
        origins '*'
        resource '\api\v1', :headers => :any, :methods => [:get, :options]
      end
    end

  end
end 

Upvotes: 0

Views: 1914

Answers (2)

Slava Zharkov
Slava Zharkov

Reputation: 237

As i know, you can use the following way:

config.middleware.insert_before 0, "Rack::Cors" do
  allow do
    origins '*'
    resource '/api/v1/*', :headers => :any, :methods => [:get, :options]
  end
end

Upvotes: 0

jrochkind
jrochkind

Reputation: 23357

I wouldn't bother with the Rack::Cors gem. This is easy enough to do just in Rails, I think this is a case of "gem-itis". Yes, you're going to have to understand a bit about what CORS actually does to make sure you're doing what you want -- you're going to have to do that either way, with or without a gem. CORS is not too complicated, it will pay to read about it, perhaps here: http://enable-cors.org/server.html

If I understand right, you don't want to add CORS headers to every action (allowing cross-domain javascript access to every action), but just to certain actions? Which ones, how will they be identified?

Let's say you only have one action, index in WidgetController that you want to add CORS to, and you only want to add it to 'json' type requests, not to html requests. Here's how you might do that. Add to your WidgetController code (at ./app/controllers/widget_controller.rb):

 before_filter :add_cors_to_json, :only => :index

 protected def add_cors_to_json
   if request.format == "application/json"
     # "*" to allow for any domain, or specify certain domains
     response.headers["Access-Control-Allow-Origin"] = "*"
   end
 end

I don't think the Rack::CORS gem is giving you anything -- you still need to understand what's going on to make it do what you want, but now you need to understand the Rack::CORS gem too. Just do it in Rails.

Upvotes: 1

Related Questions