-
Notifications
You must be signed in to change notification settings - Fork 263
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Safari Access-Control-Request-Headers: Origin issue [explained] #116
Comments
See cyu/rack-cors#116 for details.
Some Safari versions will reject CORS responses without this. Additional details: cyu/rack-cors#116
Hi @squadette, is this what you meant by allow origin? config.middleware.insert_before ActionDispatch::Static, Rack::Cors do
allow do
origins ""
resource "", :headers => [:any, :origin], :methods => [:get, :post, :options]
end
end I tried that way, bit it didn't work for me. This is my whole implementation: #33 (comment) |
@HoracioChavez, well, if you use The pull-request above probably fixes that. |
I am still seeing problems in Safari, after trying dozens of the tips and tricks mentioned in the issues here. I have a Stack Overflow question opened on my specific problem here |
@coneybeare Your issue is an issue with cross origin frames: |
Any news about this? simpy :any doesnt seem to work still, maybe i'm needing the expose? |
I'm doing some issue gardening 🌱🌿 🌷 and came upon this issue. Since it's quite old I just wanted to ask if this is still relevant? If it isn't, maybe we can close this issue? By closing some old issues we reduce the list of open issues to a more manageable set. |
When you send CORS request with some header like X-API-Token, Safari 6 and 7 send
with the request. If you have explicit list of headers in your Rack::Cors configuration, you probably don't have
Origin
header in this list. Well, you should, otherwise it does not work.Chrome and Firefox do not have this issue, they correctly send
Access-Control-Request-Headers: X-API-Token
. Also, Safari makes it harder to debug, because CORS-failed requests are not in "Timelines" window (they are in "Resources" window).I understand that most people probably just use
headers: :any
and do not bother. We need to a) either explicitly mention this in documentation; b) always allow "Origin" in this list.WDYT?
The text was updated successfully, but these errors were encountered: