How to add Access-Control-Allow-Origin headers to API Response in Ruby
Sinatra is a simple and lightweight web server. The general idea is that you write response routes like this:
get '/api' do
When you make a HTTP GET request to yoursite.com/api you will get a "Hello world" as response.
Now to add the header you want, this should do the trick:
get '/api' do
response['Access-Control-Allow-Origin'] = '*'
Can't get 'Access-Control-Allow-Origin' header from fetch request
move your config from
all files in
config/initializers/ will be loaded on rails startup.
also it could be possible to blocked by rails 6 new feature to block unwanted hosts.
add following snippet to
config/application.rb or env specific file in
check Upgraded Rails to 6, getting Blocked host Error
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access
Here is what you will have to do If you are making GET request, your client request have to send Origin header and then your server have to send the Access-Control-Allow-Origin header in the response. Values of both of these header have to be the same to allow cross origin resource sharing.
No 'Access-Control-Allow-Origin' header is present on the requested resource?
You don't need to (shouldn't be) generating the headers in every response.
In your case, I would wager the asset request from your browser is being "preflighted" with an OPTIONS request, but the CDN passes on the request without Access-Control request headers. The CDN thus (correctly) receives no CORS response headers from your Rails app, so the browser doesn't even attempt the GET request, and fails with the Cross-Origin error.
"preflighted" requests first send an HTTP request by the OPTIONS method to the resource on the other domain, in order to determine whether the actual request is safe to send
Your CDN needs be set up to forward the correct request headers to your app server such that it knows to generate the CORS headers. Then, the CDN will pass these CORS response headers along to the browser.
When you want OPTIONS responses to be cached, configure CloudFront to forward the following headers: Origin, Access-Control-Request-Headers, and Access-Control-Request-Method.
If you make the change to your CDN for those headers and then invalidate your assets, your
rack-cors configuration by itself should work just fine.
# @note: must be run after initializers/_assets.rb
Rails.application.config.middleware.insert_before 0, Rack::Cors do
# All asset requests should be to rails prefixed assets paths
# serverd from the asset pipeline (e.g.: "/assets/*" by default)
# Allow any request headers to be sent in the asset request
# All asset fetches should be via GET
# Support OPTIONS for pre-flight requests
methods: [:get, :options]
Rails. No 'Access-Control-Allow-Origin' header is present on the requested resource
Looks like you're missing insert_before 0 according to the docs
config.middleware.insert_before 0, Rack::Cors do
resource '*', headers: :any, methods: [:get, :post, :options]
Setting CORS headers do not solve my CORS problem
Before browsers make a cross-origin POST request, they first perform a so called CORS-preflight request to make sure that the target of the POST allows the request.
For that, browsers make an
OPTIONS request to the URL and check the CORS headers of the response. Only if the respone headers of this preflight request indicate that the request is allowed, browsers will perform the actual
For you, that means that your
create action (for the
POST request) won't receive a request unless you also reply to an
OPTIONS request first.
While you could implement this "by hand", it is usually a much better idea to use existing CORS implementation such as the
CORS policy Access-Control-Allow-Origin header in the response mustn't be wildcard * when credentials include
credentials: true and specifying the domain address in
origins fixed the issue
use Rack::Cors do
:headers => :any,
:methods => [:get, :post, :delete, :put, :patch, :options],