Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insert more than one domain #6

Open
HoneyryderChuck opened this issue Jun 26, 2012 · 3 comments
Open

Insert more than one domain #6

HoneyryderChuck opened this issue Jun 26, 2012 · 3 comments

Comments

@HoneyryderChuck
Copy link

Hi man,

Great gem you got there. I'm just missing something: What if I want to had more than one domain? Thing is, the way the Access-Control-Allow-Origin header field should work, the field has to be repeated in the header:

Access-Control-Allow-Origin: http://example.com
Access-Control-Allow-Origin. https://example.com

At least that's what I read, comma separation doesn't work in this case.

Regards,
Tiago
@HoneyryderChuck
Copy link
Author

Actually, after reading a bit more, the right solution would be defining a list of allowed domains, and then check the ORIGIN header field for the font resource request. If it belongs to the list of allowed domains, then fill the Access-Control-Allow-Origin field with the respective domain and ship the response.

@HoneyryderChuck
Copy link
Author

I got a temporary work around working. Basically I rewrote some of the logic of the middleware in an intializer:


module FontAssets
  class Middleware

    def call(env)
      origin = env["HTTP_ORIGIN"]
      # intercept the "preflight" request
      if env["REQUEST_METHOD"] == "OPTIONS"
        return [200, access_control_headers(origin), []]
      else
        code, headers, body = @app.call(env)
        set_headers! headers, body, env["PATH_INFO"], origin
        [code, headers, body]
      end
    end

    def access_control_headers(origin)
      return {} unless allowed_origin?(origin)
      {
        "Access-Control-Allow-Origin" => origin,
        "Access-Control-Allow-Methods" => "GET",
        "Access-Control-Allow-Headers" => "x-requested-with",
        "Access-Control-Max-Age" => "3628800"
      }
    end

    private

    def set_headers!(headers, body, path, origin)
      if ext = extension(path) and font_asset?(ext) and allowed_origin?(origin)
        headers.merge!(access_control_headers(origin))
        headers.merge!('Content-Type' => mime_type(ext)) if headers['Content-Type']
      end
    end

    def allowed_origin?(origin)
      @origin.include?(origin)
    end

  end

end

It is not optimal, but it does the trick now. But instead of assigning a domain in application.rb, I have to assign an array of domains. I've noticed that the set_headers! function takes the body parameter needlessly. I'll try to work on this a bit more, but tell me what you think meanwhile.

@reconbot
Copy link

This is the right approach but has one issue with cloundfront as they don't support the vary header and will cache whatever domain's "Access-Control-Allow-Origin" header gets served first. (The vary header tells caches use headers and not just urls in their cache keys.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@reconbot @HoneyryderChuck