Skip to content

Instantly share code, notes, and snippets.

@trak3r

trak3r/help_cors.md

Last active July 27, 2018 13:53
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save trak3r/44f4a1897d4afc0d9f10abb964f93deb to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save trak3r/44f4a1897d4afc0d9f10abb964f93deb to your computer and use it in GitHub Desktop.
Download ZIP
Raw
help_cors.md

Before Chrome makes a cross-domain AJAX call it makes an OPTIONS check like this:

curl \
'https://fubar.com/users/sign_in' \
-X OPTIONS \
-H 'Access-Control-Request-Method: POST' \
-H 'Origin: http://snafu.com' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36' \
-H 'Access-Control-Request-Headers: content-type' \
--compressed \
--insecure \
--verbose

(I added --insecure and --verbose for testing.)

I can see this request in the Apache logs but it doesn't get to Rails.

127.0.0.1 - - [27/Jul/2018:09:22:44 -0400] "OPTIONS /users/sign_in HTTP/1.1" 200 -

If I remove the Access-Control-Request-Method header then it does pass the request to Rails.

This makes me suspect that Apache (or Passenger) is intercepting these requests rather than propagating them to Rails.

However I'm unable to find any clues or configurations explaining why this would be happening and how to stop it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment