2

thanks in advance for anyone who can help me with this !!

I'm running a Rails 5.2 application with React and Webpacker, and I want to display a Gravatar icon for my users when they're logged in, but I keep getting blocked by the browser CORB.

I've been going over all the Rack CORS documentation and the Stack Overflow entries about setting up rails with CORS, but I still cannot seem to get it to work. I don't see the allowed-origins in my headers, and the requests to Gravatar.com continue to be blocked.

I've set up my config/credentials.yml.enc with my hostnames, as noted in https://stackoverflow.com/a/56772510/759615: 

development:
 allowed_origins:
   - http://localhost:3000
   - http://127.0.0.1:3000

production:
 allowed_origins:
   - http://productionurl1.com
   - http://productionurl2.com

application.rb:

  class Application < Rails::Application

    config.load_defaults 5.2

    config.middleware.insert_before 0, Rack::Cors do
      allow do
        origins Rails.application.credentials[Rails.env.to_sym][:allowed_origins]

        resource '*',
                 headers: :origin,
                 methods: [:get, :post, :options, :put]
      end
    end
  end

I've also tried a completely open configuration for CORS in application.rb just to test the concept:

...
     allow do
        origins '*'
    ...

and for the local environment I've set the headers for dev_server in config/webpacker.yml 

      'Access-Control-Allow-Origin': 'http://localhost:3000/'

(wherein I've also tried the Webpacker hostname, 127.0.0.1, to no avail)

There are a lot of variables and I've probably missed something or more likely misunderstood the meaning in the documentation, but I'm really hoping someone out there has the CORS answer I'm looking for!!

GLaDOS
  • 629
  • 1
  • 12
  • 29

2 Answers2

0

I use Rack::Cors in my project w/o variables:

config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins 'localhost:5000', /https*:\/\/.*?domain\.(com|org)\/*/, /https:\/\/another_domain\.my_domain\.org/
    resource '*', headers: :any, methods: :any, credentials: true
  end
end

And it works perfectly.

mechnicov
  • 3,922
  • 2
  • 14
  • 32
0

On bad implementation that all connections are open in middleware (aka wildcard origin connection are set to " * ") you might get security error: 

'initialize': Allowing credentials for wildcard origins is insecure. 
Please specify more restrictive origins or set 'credentials' to false
in your CORS configuration. (Rack::Cors::Resource::CorsMisconfigurationError)

You can use regex in order to set the right permissions:

use Rack::Cors do
allow do
  # regular expressions can be used here
  origins 'localhost:3000', '127.0.0.1:3000', /\Ahttp:\/\/192\.168\.0\.\d{1,3}(:\d+)?\z/

  resource '/file/list_all/',
    headers: 'x-domain-token'

  resource '/file/at/*',
    methods: [:get, :post, :delete, :put, :patch, :options, :head],    
    headers: 'x-domain-token',
    # headers to expose  
    expose: ['Some-Custom-Response-Header'],
    max_age: 600
end

Look at the documentation of rack-cors and look for another examples.

alilland
  • 881
  • 11
  • 29
avivamg
  • 5,638
  • 1
  • 37
  • 32