Sutty/trabajo-afectivo
5
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Enhancement: Made CORS Preflight Check specification conform.

Browse source
This commit is contained in:
Rolf Schmidt 2020-02-13 11:49:33 +01:00 committed by Thorsten Eckel
parent 49b0ca4d58
commit 1cbb139476
4 changed files with 30 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
app/controllers/application_controller/sets_headers.rb
View file

@ -35,19 +35,12 @@ module ApplicationController::SetsHeaders
# request, return only the necessary headers and return an empty # request, return only the necessary headers and return an empty
# text/plain. # text/plain.
def cors_preflight_check def cors_preflight_check
return true if @_auth_type != 'token_auth' && @_auth_type != 'basic_auth' return if request.method != 'OPTIONS'
cors_preflight_check_execute
end
def cors_preflight_check_execute
return true if request.method != 'OPTIONS'
headers['Access-Control-Allow-Origin'] = '*' headers['Access-Control-Allow-Origin'] = '*'
headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, PATCH, OPTIONS' headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, PATCH, OPTIONS'
headers['Access-Control-Allow-Headers'] = 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Accept-Language' headers['Access-Control-Allow-Headers'] = 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Accept-Language'
headers['Access-Control-Max-Age'] = '1728000' headers['Access-Control-Max-Age'] = '1728000'
render text: '', content_type: 'text/plain' render plain: ''
false
end end
end end

2
app/controllers/form_controller.rb
View file

@ -2,7 +2,7 @@
class FormController < ApplicationController class FormController < ApplicationController
skip_before_action :verify_csrf_token skip_before_action :verify_csrf_token
before_action :cors_preflight_check_execute before_action :cors_preflight_check
after_action :set_access_control_headers_execute after_action :set_access_control_headers_execute
skip_before_action :user_device_check skip_before_action :user_device_check

4
config/routes.rb
View file

@ -6,6 +6,7 @@ Rails.application.routes.draw do
# just remember to delete public/index.html. # just remember to delete public/index.html.
root to: 'init#index', via: :get root to: 'init#index', via: :get
root to: 'errors#routing', via: %i[post put delete options]
# load routes from external files # load routes from external files
dir = File.expand_path(__dir__) dir = File.expand_path(__dir__)
@ -18,6 +19,5 @@ Rails.application.routes.draw do
end end
end end
match '*a', to: 'errors#routing', via: %i[get post put delete] match '*a', to: 'errors#routing', via: %i[get post put delete options]
end end

25
spec/requests/cors_preflight_check_spec.rb Normal file
View file

@ -0,0 +1,25 @@
require 'rails_helper'
RSpec.describe 'CORS Preflight Check', type: :request do
shared_examples 'empty response' do
it { expect(response).to have_http_status(:ok) }
it { expect(response.body).to be_empty }
end
context 'valid route' do
before do
process :options, '/'
end
include_examples 'empty response'
end
context 'invalid route' do
before do
process :options, '/this_is_an_invalid_route'
end
include_examples 'empty response'
end
end