From: John Firebaugh Date: Sat, 20 Oct 2012 23:11:51 +0000 (-0700) Subject: Allow cross-origin requests to API X-Git-Tag: live~5883 X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/77519738715b21fbb4ea384c9b56ccc2d9fb4687?hp=31dae1bac102bdf30d62aacd24e6821a2fbbc542 Allow cross-origin requests to API --- diff --git a/Gemfile b/Gemfile index fa3f38d79..4644d07ea 100644 --- a/Gemfile +++ b/Gemfile @@ -25,6 +25,7 @@ gem 'http_accept_language', '>= 1.0.2' gem 'paperclip', '~> 2.0' gem 'deadlock_retry', '>= 1.2.0' gem 'i18n-js', '>= 3.0.0.rc2' +gem 'rack-cors' # We need ruby-openid 2.2.0 or later for ruby 1.9 support gem 'ruby-openid', '>= 2.2.0' diff --git a/Gemfile.lock b/Gemfile.lock index 8c8e60af7..2299757c0 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -102,6 +102,8 @@ GEM rack (1.4.1) rack-cache (1.2) rack (>= 0.4) + rack-cors (0.2.7) + rack rack-openid (1.3.1) rack (>= 1.1.0) ruby-openid (>= 2.1.8) @@ -181,6 +183,7 @@ DEPENDENCIES open_id_authentication (>= 1.1.0) paperclip (~> 2.0) pg + rack-cors rails (= 3.2.8) rails-i18n (>= 0.6.3) redcarpet diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb new file mode 100644 index 000000000..6fbeb9161 --- /dev/null +++ b/config/initializers/cors.rb @@ -0,0 +1,13 @@ +require "rack/cors" + +# Allow any and all cross-origin requests to the API. Allow any origin, and +# any headers. Non-browser requests do not have origin or header restrictions, +# so browser-requests should be similarly permitted. (Though the API does not +# require any custom headers, Ajax frameworks may automatically add headers +# such as X-Requested-By to requests.) +Rails.configuration.middleware.use Rack::Cors do + allow do + origins "*" + resource "/api/*", :headers => :any, :methods => [:get, :post, :put, :delete] + end +end diff --git a/test/integration/cors_test.rb b/test/integration/cors_test.rb new file mode 100644 index 000000000..827db7c93 --- /dev/null +++ b/test/integration/cors_test.rb @@ -0,0 +1,32 @@ +require File.dirname(__FILE__) + '/../test_helper' + +class CORSTest < ActionController::IntegrationTest + # Rails 4 adds a built-in `options` method. When we upgrade, we can remove + # this definition. + unless instance_method_names.include?("options") + def options(*args) + reset! unless integration_session + @html_document = nil + integration_session.send(:process, :options, *args).tap do + copy_session_variables! + end + end + end + + def test_api_routes_allow_cross_origin_requests + options "/api/capabilities", nil, + 'HTTP_ORIGIN' => "http://www.example.com", + 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' => 'GET' + + assert_response :success + assert_equal "http://www.example.com", response.headers['Access-Control-Allow-Origin'] + end + + def test_non_api_routes_dont_allow_cross_origin_requests + assert_raises ActionController::RoutingError do + options "/", nil, + 'HTTP_ORIGIN' => "http://www.example.com", + 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' => 'GET' + end + end +end