CORS broken for browsers that do preflight checks about phantom-of-the-capitol HOT 5 CLOSED

[Rewrote issue title for clarity]

I have a workaround for this, which I got from @padrino (https://github.com/padrino/padrino-framework/wiki/Cross-domain-requests,-Access-Control-Allow-Origin) and @cyu (https://github.com/cyu/rack-cors)

After cloning the phnatom repo, I edited the Gemfile to add this line:
gem 'rack-cors'

And edited config.ru to add this:
use Rack::Cors do allow do origins '*' resource '/retrieve-form-elements', :headers => :any, :methods => [:post, :options] end end

And now the preflight check from Chrome works and I can actually do the post.

Obviously you need to edit origins for your real allowed origins, and add the other apis as allowed resources. And a good solution would get the origins from the CORS_ALLOWED_DOMAINS variable.

I would be happy to put together a PR to really fix, if I could get a volunteer to guide me a bit, as I don't know a thing about Rails/Ruby/etc.

from phantom-of-the-capitol.

@PollyP CORS_ALLOWED_DOMAINS should actually be an array, and its values can be given in the environment variable CORS_ALLOWED_DOMAINS as a space separated list.

You can include * in the list as well to allow all origins. See main.rb#L9-L15:

  before do
    if CORS_ALLOWED_DOMAINS.include? request.env['HTTP_ORIGIN'] or CORS_ALLOWED_DOMAINS.include? "*"
      response.headers['Access-Control-Allow-Origin'] = request.env['HTTP_ORIGIN']
      response.headers['Access-Control-Allow-Credentials'] = "true"
    end
    response.headers['X-Backend-Hostname'] = Socket.gethostname
  end

from phantom-of-the-capitol.

@wioux I stuck a log warning in there to track down the problem, and this code was never getting called. The server filtered out the http options method before it ever hit this code.

from phantom-of-the-capitol.

Ah! Ok, thanks for pointing that out. It seems appropriate to include the rack-cors gem as you suggest.

It looks like you can pattern match all resources with *, instead of having to specify /retrieve-form-elements. That would be useful since this issue should crop up with many of our routes (e.g. those under the debug/cwc controllers as well).

I would put the configuration in phantom-dc_config.rb.example. There, you may have to call Padrino.use instead of the global function.

from phantom-of-the-capitol.

Hi, My PR is failing the Travis build here: https://travis-ci.org/EFForg/phantom-of-the-capitol/builds/196075289. It is not liking the addition to the Gemfile. Is there something special I need to do to make Travis happy?

UPDATE: Ah, yes, the Gemfile.lock needs to be committed. The Travis build works now.

@wioux Thanks for your advice above.

from phantom-of-the-capitol.