Challenge - 5 Problems

🎖️

CORS Mastery in Rails

Get all challenges correct to earn this badge!

Test your skills under time pressure!

❓ component_behavior

intermediate

2:00remaining

What happens when a Rails app has this CORS config?

Given this CORS configuration in a Rails app, what will be the behavior when a browser from https://example.com tries to make a GET request?

Rails.application.config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins 'https://example.com'
    resource '*', headers: :any, methods: [:get, :post]
  end
end

AThe GET request from https://example.com will succeed with CORS headers allowing it.

BThe GET request will succeed but without CORS headers, causing browser to block response.

CThe GET request will be blocked because only POST methods are allowed.

DThe GET request will be blocked because origins must be '*' to allow any domain.

Attempts:

2 left

📝 Syntax

intermediate

2:00remaining

Identify the syntax error in this CORS config snippet

Which option contains the correct syntax for allowing all origins and all methods in Rails CORS config?

Rails.application.config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins '*'
    resource '*', headers: :any, methods: [:get, :post, :put, :delete]
  end
end

origins '*'
resource '*', headers: :any, methods: [get, post, put, delete]

origins '*'
resource '*', headers: :any, methods: [:get :post :put :delete]

origins '*'
resource '*', headers: :any, methods: [:get, :post, :put, :delete]

origins *
resource '*', headers: any, methods: [:get, :post, :put, :delete]

Attempts:

2 left

🔧 Debug

advanced

2:00remaining

Why does this Rails CORS config block requests from https://myapp.com?

A developer wrote this CORS config but requests from https://myapp.com are blocked by the browser:

Rails.application.config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins 'https://myapp.com'
    resource '/api/*', headers: :any, methods: [:get, :post]
  end
end

What is the most likely reason?

AThe origins string must be an array, not a string.

BThe resource path '/api/*' does not match the actual request path '/api/v1/users'.

CThe methods array is missing the :options method needed for preflight.

DThe middleware is inserted after other middlewares, so it is ignored.

Attempts:

2 left

❓ state_output

advanced

2:00remaining

What CORS headers are sent with this config for a POST request?

Given this Rails CORS config:

Rails.application.config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins 'https://client.com'
    resource '/submit', headers: :any, methods: [:post]
  end
end

What CORS headers will the server send in response to a POST request from https://client.com?

ANo CORS headers are sent because only GET is allowed.

BAccess-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST Access-Control-Allow-Headers: Content-Type

CAccess-Control-Allow-Origin: https://client.com Access-Control-Allow-Methods: GET, POST Access-Control-Allow-Headers: *

DAccess-Control-Allow-Origin: https://client.com Access-Control-Allow-Methods: POST Access-Control-Allow-Headers: *

Attempts:

2 left

🧠 Conceptual

expert

3:00remaining

Why is CORS middleware inserted before other middlewares in Rails?

In Rails, why do we insert the Rack::Cors middleware at position 0 like this?

Rails.application.config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins '*'
    resource '*', headers: :any, methods: [:get, :post, :options]
  end
end

Choose the best explanation.

ATo ensure CORS headers are added before other middlewares process the request, especially before authentication or session middlewares.

BBecause Rack::Cors must be the last middleware to modify the response after all processing.

CTo delay CORS checks until after the controller has handled the request.

DIt does not matter where Rack::Cors is inserted; position 0 is just a convention.

Attempts:

2 left