# Rack::Cors Configuration Tricks

cyu’s Rack::Cors middleware is rather handy if want to control your CORS (Cross-Origin Resource Sharing) settings in a Ruby-on-Rails project. Previously, there was a fairly major issue where :credentials => true was the default (which you generally do not want), but there were also some more complicated tweaks that I wanted to make.

One problem I recently had to deal with was wanting to:

• Allow CORS connections from arbitrary domains (this site functions as an API)
• Do not allow CORS from http domains at all
• Only allow cookies (Access-Control-Allow-Credentials) to be sent for sibling subdomains
• Prevent cookies from being sent from specific sibling subdomains (that are actually run by a third party)
• On development (non-production) versions of the site, allow credentials from localhost