From 0defbf60e698737abb5f59a1e2ccf9462c7401b4 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Mon, 25 Mar 2013 21:49:25 +0000 Subject: [PATCH] Mark CORS responses as uncacheable --- config/initializers/cors.rb | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb index 9bbf937cf..1a8ce106d 100644 --- a/config/initializers/cors.rb +++ b/config/initializers/cors.rb @@ -1,11 +1,26 @@ require "rack/cors" +# Mark CORS responses as uncacheable as we don't want a browser to +# try and reuse a response that had a different origin, even with +# revalidation, as the origin check will fail. +module OpenStreetMap + class Cors < Rack::Cors + def call(env) + status, headers, body = super env + if headers['Access-Control-Allow-Origin'] + headers['Cache-Control'] = 'no-cache' + end + [status, headers, body] + end + end +end + # Allow any and all cross-origin requests to the API. Allow any origin, and # any headers. Non-browser requests do not have origin or header restrictions, # so browser-requests should be similarly permitted. (Though the API does not # require any custom headers, Ajax frameworks may automatically add headers # such as X-Requested-By to requests.) -Rails.configuration.middleware.use Rack::Cors do +Rails.configuration.middleware.use OpenStreetMap::Cors do allow do origins "*" resource "/oauth/*", :headers => :any, :methods => [:get, :post] -- 2.39.5