cyu’s Rack::Cors middleware is rather handy if want to control your CORS (Cross-Origin Resource Sharing) settings in a Ruby-on-Rails project. Previously, there was a fairly major issue where :credentials => true was the default (which you generally do not want), but there were also some more complicated tweaks that I wanted to make.
One problem I recently had to deal with was wanting to:
- Allow CORS connections from arbitrary domains (this site functions as an API)
- Do not allow CORS from http domains at all
- Only allow cookies (
Access-Control-Allow-Credentials) to be sent for sibling subdomains - Prevent cookies from being sent from specific sibling subdomains (that are actually run by a third party)
- On development (non-production) versions of the site, allow credentials from localhost