Skip to content

Instantly share code, notes, and snippets.

@bnorton

bnorton/README.md

Last active March 26, 2019 14:56
Show Gist options
  • Save bnorton/7b1f25b4e163901963f151b9ce17a4f7 to your computer and use it in GitHub Desktop.
Save bnorton/7b1f25b4e163901963f151b9ce17a4f7 to your computer and use it in GitHub Desktop.
Download ZIP
OPTIONS requests being blocked by CORB
Raw
README.md

Based on information found here on the chromium blog I found that options requests that render with head :ok are blocked by CORB because the resposne has headers of Content-Type: text/plain and X-Content-Type-Options: nosniff. The text/plain content type is a "trigger" for CORB checking and when Rails sets the contet type options to nosniff for this response CORB cannot inspect the response to see if it is safe.

TL;DR add response.headers.delete('X-Content-Type-Options') in your OPTIONS preflight handler

Raw
application_controller.rb
class ApplicationController < ActionController::Base
before_action :enable_cors
def options
head :ok
end
private
def enable_cors
response.headers.merge!(
'Access-Control-Allow-Origin' => request.headers['Origin'].presence || '',
'Access-Control-Allow-Credentials' => 'true',
)
if request.method_symbol == :options
response.headers.delete('X-Content-Type-Options') ## THIS IS THE IMPORTANT BIT
response.headers.merge!(
'Access-Control-Allow-Methods' => 'HEAD, GET, POST, PUT, PATCH, DELETE, OPTIONS',
'Access-Control-Allow-Headers' => request.headers['Access-Control-Request-Headers'].presence || 'Origin, X-Requested-With, Content-Type, Accept',
'Access-Control-Max-Age' => 14.days.to_s
)
end
end
end
Raw
routes.rb
Rails.application.routes.draw do
# ...
# then at the very end
match '*anything' => 'application#options', :via => [:options]
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment