You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I ran into an odd problem today on a company app suite. TL;DR - you need to set credentials: false if you want multiple JS endpoints all hitting the same API endpoint to work.
Some background:
my company has a suite of internal applications that all interact via AJAX with a central API server. (Rails 3.2.14, rack-cors 0.2.8) Each JS app is on a separate subdomain (so foo-app.example.com, bar-app.example.com)
the API server had the following configuration for rack-cors:
the observed behavior was that the first application visited in a tab would load successfully, but navigating to another in the suite relatively quickly afterwards (in the same tab) would fail with a CORS error in the browser.
some digging revealed that when the first app preflighted its requests, the Access-Control-Allow-Origin header was set to foo-app.example.com. This result was cached by the browser, causing the second app's requests to fail.
adding credentials: false to the resource call caused the Access-Control-Allow-Origin to be correctly sent as * and solved the problem.
The behavior is definitely correct by the W3C docs, but it's not at all obvious (short of either extreme familiarity with the spec or reading the source) that the credentials flag would have this effect.
I'm happy to help write up some docs for this, but I'm not sure where they should go. In the meantime, perhaps this issue will save somebody else some confusion.
The text was updated successfully, but these errors were encountered:
I apologize if this is the wrong place to ask this, but I'm having this exact issue and I wanted to ask...
This is my block for the cors configuration, adding the subdomains like your applications above, as well as some localhosts for development in different apps...
I don't think it's a good solution to use "*" as the origin as I only want my API accessible to the apps that are authorized to use it. Yet, looking at the CORS spec, it will only return one URL at a time. So what's the solution to allow multiple origins to hit the same Rack::CORS enabled service? I saw the previous issue of #30 which had a comment suggesting the use of *.domain.com to address this.
What's the best way to address this in the config?
UPDATE (same day):
I have this 95% solved by setting the :max_age => 0. That avoids caching the Allow-Access-Control-Origin when you switch from one internal app to another. Leaving this here in case someone else has the same problem.
That said, the '*.subdomain.foo" had the effect of not working for any of the subdomains...
I ran into an odd problem today on a company app suite. TL;DR - you need to set
credentials: false
if you want multiple JS endpoints all hitting the same API endpoint to work.Some background:
credentials: false
to theresource
call caused the Access-Control-Allow-Origin to be correctly sent as*
and solved the problem.The behavior is definitely correct by the W3C docs, but it's not at all obvious (short of either extreme familiarity with the spec or reading the source) that the
credentials
flag would have this effect.I'm happy to help write up some docs for this, but I'm not sure where they should go. In the meantime, perhaps this issue will save somebody else some confusion.
The text was updated successfully, but these errors were encountered: