-
Notifications
You must be signed in to change notification settings - Fork 261
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Access-Control-Allow-Origin is returned only if Origin header is set #24
Comments
+1 |
I wonder what role this plays: http://www.w3.org/TR/access-control/#resource-implementation |
It think the current implementation is the correct behavior. Step one of the CORS spec states that any simple request without an Having said that, I'm don't see any harm in possibly supporting this as an additional configuration (I'd like the default implementation to eventually match spec as much as possible). Sorry for taking so long to respond to this. Is there a particular use case where this behavior is necessary? I'd like to understand under what circumstances why this behavior is desired. |
I agree the library should strictly implement the CORS specification. It is interesting to note that responses from api.github.com have this header combination:
Reading the spec here, you'll find this Note in the discussion about supports credentials:
My concern is further expressed in the discussion about Security Concerns. Namely, if a resource supports credentials, it should also reflect the requesting In other words, I think rack-cors has this right. Therefore, it should be difficult to do it wrong? |
Just thought I'd drop my 2c in here. For responses which you want to consider public as far as cache control goes, it can be necessary to add in the |
For the record, we solved the issue by adding a |
We couldn't use the workaround suggested by @snikch as adding class InjectOriginHeaderMiddleware
def initialize(app)
@app = app
end
def call(env)
# Force rack-cors to always return Access-Control-Allow-Origin
# by always setting the "Origin:" header in the request
env['HTTP_ORIGIN'] ||= 'force-CORS'
@app.call(env)
end
end In config.middleware.insert_before Rack::Cors, "InjectOriginHeaderMiddleware" |
This issue is 3 years old, but this strict interpretation is indeed causing us issues as described by folks above. In particular, we would like to cache a VERY specific set of headers as our response for our javascript files, regardless of whether the origin is set. By varying the responses based on the request, it is possible for us to have the wrong responses get set in our CDN's cache, which causes subsequent valid requests to fail. We might have to manually add these headers as suggested, but I welcome other suggestions or options to force this header. On a related note, imagine that we have a very particular domain (example.com) that we'd like to specify as a valid origin. So, we'd like to always respond with the header: |
Rails 3.2.13, Ruby 2.0.0, Mongoid
config/application.rb:
Using HTTPie:
Access-Control-Allow-Origin
is NOT returnedIf I set an Origin header:
I get:
Is this expected? I was under the impression that
Access-Control-Allow-Origin
would be set to*
even if no Origin was specified.GitHub's API returns
*
when no Origin is specified. How can I get that behavior as well?The text was updated successfully, but these errors were encountered: