Comments (15)
I am not sure if this issue is still relevant, but here is the solution that worked for me:
allow do
origins do |source, env|
# this proc should return true or false
# You can dynamically check the database/redis or any other storage for your origins
Database.where('redirect_uri ~* ?', "^#{source}").exists?
end
resource '/api/v0/*', headers: :any, methods: [:get, :delete, :put, :post, :options]
resource '/api/oauth/*', headers: :any, methods: [:get, :delete, :post, :options]
end
from rack-cors.
@faragorn is your solution supposed to check for the customers who are allowed to use the api ? I have a web widget where my customers are allowed to send post requests to my server and I would like to prevent any "not allowed" request from getting a response
from rack-cors.
No, that's not functionality I had in mind when I developed it. I supposed if you could figure out how to access the middleware stack you could get to the middleware and call allow
in it to add new rules. Or you can use Rack::Cors
in you own middleware and store the cors middleware in env
to be used further up the stack
from rack-cors.
Thinking about it some more that's not going to quite work - you'll probably want to create a new Rack::Cors
instance on every call
to make sure you set all the rules.
If you can figure out a cleaner way to do this, I'd be happy to accept a patch.
from rack-cors.
Thanks for your input
I do however have an issue with the resource picking up a particular controller
I have
config.middleware.use Rack::Cors do
allow do
origins ''
resource '/reservations/', :headers => :any, :methods => [:get, :post]
resource '/impressions/*', :headers => :any, :methods => [:post]
end
end
here are my controllers. However the reservations resource is not being allowed, whereas the impressions resource is
Is there a way to trouble shoot this?
I assume the resource should point to the name of my controllers?
Thanks
On Sep 3, 2014, at 5:13 PM, Calvin Yu [email protected] wrote:
Think about it some more that's not going to quite work - you'll probably want to create a new Rack::Cors instance on call to make sure you set all the rules.
If you can figure out a cleaner way to do this, I'd be happy to accept a patch.
—
Reply to this email directly or view it on GitHub.
from rack-cors.
There is a way to enable some logging, but it only logs where there's a resource hit, and not misses.
That gives me an idea though - I can probably return some diagnostics in the HTTP headers to make troubleshooting these issues easier. Doesn't really help you right now though. Sorry.
from rack-cors.
no problem
I realized that I had to also include the other resources in the path
i.e. hotels/1/room/2
i had to allow both resource room and hotel
On Sep 5, 2014, at 8:27 AM, Calvin Yu [email protected] wrote:
There is a way to enable some logging, but it only logs where there's a resource hit, and not misses.
That gives me an idea though - I can probably return some diagnostics in the HTTP headers to make troubleshooting these issues easier. Doesn't really help you right now though. Sorry.
—
Reply to this email directly or view it on GitHub.
from rack-cors.
Mind sending me your final configuration?
from rack-cors.
config.middleware.insert_after Rails::Rack::Logger, Rack::Cors, :logger => Rails.logger do
allow do
origins '*'
resource '/reservations/*', :headers => :any, :methods => [:get, :post]
resource '/hotels/*', :headers => :any, :methods => [:get]
resource '/impressions/*', :headers => :any, :methods => [:post]
end
end
On Sep 6, 2014, at 7:40 PM, Calvin Yu [email protected] wrote:
Mind sending me your final configuration?
—
Reply to this email directly or view it on GitHub.
from rack-cors.
Thanks!
FYI - I committed some changes to return some diagnostic headers when debug mode is enabled: 8456a39
from rack-cors.
Hi Calvin
Can you tell me if you have a way to expose the location in the headers?
Im getting:
jqXHR.getAllResponseHeaders()
"Content-Type: application/json; charset=utf-8
Cache-Control: max-age=0, private, must-revalidate
I’m looking to get access to the Location in the response headers
On Sep 9, 2014, at 6:41 AM, Calvin Yu [email protected] wrote:
Thanks!
FYI - I committed some changes to return some diagnostic headers when debug mode is enabled: 8456a39
—
Reply to this email directly or view it on GitHub.
from rack-cors.
I'm guessing there wasn't a location header in the response. If you're using chrome or safari you can see the headers from the inspector.
from rack-cors.
Yeah I can see them in the browser, so I guess its not a return header issue, its more that the browser is not passing them back to the ajax done callback, which I believe is a browser issue
On Sep 10, 2014, at 3:10 PM, Calvin Yu [email protected] wrote:
I'm guessing there wasn't a location header in the response. If you're using chrome or safari you can see the headers from the inspector.
—
Reply to this email directly or view it on GitHub.
from rack-cors.
@medbouzid Yes, in my solution it is done dynamically, and sources are checked in the database. But generally that's what origins
are for, if request origin is not listed in the origins
it will not be allowed.
from rack-cors.
Hi every one, sorry for the stupid question, is there a way to update list of allowed origins on fly when server is already running? I need this to be able to integrate client custom APIs.
from rack-cors.
Related Issues (20)
- Support for Timing-Allow-Origin HOT 5
- Tag for v2.0.0 is missing HOT 3
- Does not work with Rack 3.0.0 HOT 1
- My CORS setup blocks bad urls but not POSTMAN requests HOT 3
- Vulnerabilities in included mocha.js HOT 1
- Stripe api with Cloud9 setup
- Is there any CI? HOT 1
- Cookie session related middleware interferes HOT 3
- Remove/Replace Rack::Utils::HeaderHash HOT 7
- delete the confusing `2.0.0` tag since `v2.0.0` exists? HOT 1
- issue comeback duplicate headers because of header name case HOT 3
- Release version 2.0.1 HOT 2
- How to add Access-Control-Allow-Private-Network header in Option response?
- Why is Rails.application.config.hosts required? HOT 1
- Regex origin woes HOT 2
- Upgrade to rails 7.1.1
- Ressource with $ are not handled as expected
- Access-Control-Allow-Origin is returned only if correct Origin header is available
- Documentation for the frame-ancestors directive?
- [SECURITY] CVE-2024-27456 - Insecure File Permissions in rack-cors v2.0.1 HOT 15
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rack-cors.