Menu
I doubt the backend serving my app is important, but if you care, I'm using rack-cors with a Rails 4.0 app.
Using jQuery, I send my app a PATCH request like so:
$.ajax({
url: "http://example.com/whatever",
type: "PATCH",
data: { something: "something else" }
})
When I trigger this call from Chrome, I see a successful OPTIONS request go out, which returns these headers from my server:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:accept, content-type
Access-Control-Allow-Methods:GET, PUT, PATCH, OPTIONS
Access-Control-Allow-Origin: http://sending-app.localhost:3000
Access-Control-Expose-Headers:
Access-Control-Max-Age:15
Then I see a PATCH request go out, which throws this error:
XMLHttpRequest cannot load http://example.com/whatever. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://sending-app.localhost:3000' is therefore not allowed access.
I have tried switching from PATCH to PUT with the same results.
This doesn't make any sense to me. What's going on?
I thought the headers told the whole story, but since people are confused, here's my config/application.rb file, which is how the rack-cors plugin for Rails is configured:
config.middleware.use Rack::Cors do
allow do
origins '*'
resource '*',
:headers => :any,
:methods => [:get, :put, :patch, :options],
:max_age => 15
end
end
430
If the server is under your control, add the origin of the requesting site to the set of domains permitted access by adding it to the Access-Control-Allow-Origin header's value. You can also configure a site to allow any site to access it by using the * wildcard. You should only use this for public APIs.
To get rid of a CORS error, you can download a browser extension like CORS Unblock ↗. The extension appends Access-Control-Allow-Origin: * to every HTTP response when it is enabled. It can also add custom Access-Control-Allow-Origin and Access-Control-Allow-Methods headers to the responses.
Exclude Rails CSRF checking in the action ;)
That is, Rails checks for an authenticity token with update/create requests. Within your Rails app, this token is added to all of your forms. But with javascript requests, including it is tricky.
You can skip checking it for an action by adding this to your controller:
skip_before_filter :verify_authenticity_token, :only => [:update]
BTW, your problem had nothing to do with CORS, you were getting a bad error message in the browser. The Rails log tells the real story.
173
You might want to add this to your config/application.rb file:
#config/application.rb
config.middleware.use Rack::Cors do
allow do
origins '*'
resource '/*', :headers => :any, :methods => :patch
end
end
The resource part is where you define which methods / requests your endpoint can accept!
Hope this helps
44
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
