controller.rb

class AppProxyController < ApplicationController
   include ShopifyApp::AppProxyVerification
   protect_from_forgery :except => [:check_password]
   after_action :set_headers, only: [:check_password]

  def index
    render layout: false, content_type: 'application/liquid'
  end

  def login_form
    render layout: false, content_type: 'application/liquid'
  end

  def check_password
    @setting = Setting.find(1)
    if @setting.password == params[:password]
      head :ok
    else
      head :bad_request
    end
  end

  protected

  def set_headers
    response.headers['Access-Control-Allow-Origin'] = '*'
    response.headers['Access-Control-Allow-Methods'] = 'POST, PUT, DELETE, GET, OPTIONS'
    response.headers['Access-Control-Request-Method'] = '*'
    response.headers['Access-Control-Allow-Headers'] = 'Origin, X-Requested-With, Content-Type, Accept, Authorization, Cache-Control'
  end
end

form.html.erb

<div class='rails-app'>
  <div class='login-portal'>
    <h2 style='color: blue;'>Login</h2>
    <%= form_tag "https://myapp.herokuapp.com/login_path/check_password", remote: true, class: "resource-form" do |f| %>
      <%= text_field_tag :password, "", placeholder: "Enter Password", style: "background-color: #e6e6e6;" %>

      <%= submit_tag "Login", class: "check-pass-btn" %>
    <% end %>
    <div class='form-notifications'></div>
  </div>
</div>

<script>
  $(".resource-form").on("submit", function(e) {
    $.ajax({
      url: $(".resource-form").attr("action"),
      withCredentials: true,
      crossDomain: true,
      type: "POST",
      dataType: "json",
      data: $(".resource-form").serialize(),
      success: function(data) {
        $(".rails-app").html("<%= escape_javascript(render partial: 'category_section') %>");
        console.log("Does this work?")
      },
      error: function(data) {
        $(".form-notifications").html("<p style='color: red;'>That password is incorrect. Please try again.</p>");

      }
    });
    return false;
  });
</script>

network.txt

GENERAL
Request URL:https://myapp.herokuapp.com/login_path/check_password
Request Method:POST
Status Code:401 Unauthorized
Remote Address:54.243.171.118:443
Referrer Policy:no-referrer-when-downgrade

RESPONSE
Access-Control-Allow-Credentials:true
Access-Control-Allow-Methods:GET, POST, OPTIONS
Access-Control-Allow-Origin:https://targetsite.net
Access-Control-Max-Age:1728000
Cache-Control:no-cache
Connection:keep-alive
Content-Type:text/html
Date:Wed, 12 Apr 2017 18:08:13 GMT
P3p:CP="Not used"
Server:Cowboy
Transfer-Encoding:chunked
Vary:Origin
Via:1.1 vegur
X-Content-Type-Options:nosniff
X-Request-Id:cb3c4ca2-195b-4358-89fa-d4270b64e5ba
X-Runtime:0.005716
X-Xss-Protection:1; mode=block

REQUEST
Accept:application/json, text/javascript, */*; q=0.01
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:29
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
Host:myapp.herokuapp.com
Origin:https://targetsite.net
Referer:https://targetsite.net/tools/resource-center
User-Agent:Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Mobile Safari/537.36