0
0
Ruby on Railsframework~10 mins

CORS configuration in Ruby on Rails - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Concept Flow - CORS configuration
Client sends request
Server receives request
Check Origin header
Is Origin allowed?
NoReject request or no CORS headers
Yes
Add CORS headers to response
Send response back to client
The server checks the request's origin and adds CORS headers if allowed, enabling cross-origin access.
Execution Sample
Ruby on Rails
Rails.application.config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins 'https://example.com'
    resource '*', headers: :any, methods: [:get, :post]
  end
end
This code configures Rails to allow CORS requests from https://example.com for GET and POST methods.
Execution Table
StepActionRequest OriginAllowed OriginsCORS Headers AddedResponse Sent
1Client sends requesthttps://example.comhttps://example.comNoNo
2Server receives requesthttps://example.comhttps://example.comNoNo
3Check if origin is allowedhttps://example.comhttps://example.comNoNo
4Add CORS headers to responsehttps://example.comhttps://example.comYesNo
5Send response back to clienthttps://example.comhttps://example.comYesYes
6Client sends requesthttps://notallowed.comhttps://example.comNoNo
7Server receives requesthttps://notallowed.comhttps://example.comNoNo
8Check if origin is allowedhttps://notallowed.comhttps://example.comNoNo
9Send response back to clienthttps://notallowed.comhttps://example.comNoYes
💡 Requests from allowed origins get CORS headers; others do not but still get a response.
Variable Tracker
VariableStartAfter Step 3After Step 4After Step 5After Step 8After Step 9
request_originN/Ahttps://example.comhttps://example.comhttps://example.comhttps://notallowed.comhttps://notallowed.com
allowed_origins['https://example.com']['https://example.com']['https://example.com']['https://example.com']['https://example.com']['https://example.com']
cors_headers_addedfalsefalsetruetruefalsefalse
response_sentfalsefalsefalsetruefalsetrue
Key Moments - 2 Insights
Why does the server add CORS headers only for some origins?
The server checks if the request's origin matches the allowed origins list (see execution_table step 3). Only if it matches, CORS headers are added (step 4). This prevents unauthorized cross-origin access.
What happens if the origin is not allowed?
The server does not add CORS headers but still sends a response (see execution_table steps 8 and 9). The browser will block access to the response due to missing CORS headers.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, at which step are CORS headers first added for an allowed origin?
AStep 3
BStep 4
CStep 5
DStep 2
💡 Hint
Check the 'CORS Headers Added' column for the first 'Yes' value for https://example.com.
According to the variable tracker, what is the value of 'cors_headers_added' after step 8 for a disallowed origin?
Afalse
Btrue
Cundefined
Dnull
💡 Hint
Look at the 'cors_headers_added' row under 'After Step 8' column.
If we add 'https://notallowed.com' to allowed origins, how would the execution table change at step 8?
AResponse would not be sent at step 9
BRequest origin would change to https://example.com
CCORS headers would be added at step 8
DNo change in CORS headers
💡 Hint
Adding origin to allowed list means CORS headers get added when that origin requests (see step 3 logic).
Concept Snapshot
CORS configuration in Rails:
- Use Rack::Cors middleware in config/application.rb
- Specify allowed origins with origins 'https://example.com'
- Define allowed resources and HTTP methods
- Server checks Origin header and adds CORS headers if allowed
- Browsers enforce CORS based on these headers
Full Transcript
CORS configuration in Rails works by adding middleware that checks the origin of incoming requests. If the origin matches the allowed list, the server adds special headers to the response. These headers tell the browser it is safe to share the response with the requesting site. If the origin is not allowed, the server sends the response without these headers, so the browser blocks access. The example code uses Rack::Cors middleware to allow requests from https://example.com for GET and POST methods. The execution table shows how requests from allowed and disallowed origins are handled step-by-step, including when headers are added and responses sent. The variable tracker follows key variables like request origin and whether CORS headers were added. Key moments clarify why headers are only added for allowed origins and what happens otherwise. The quiz tests understanding of when headers are added and how changing allowed origins affects behavior.