3781: Set CORS headers in API responses.

diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb
index 4f0364f15af205df240f2471b80d015ebb4b8b1e..eacd5f28496a7b583072d65e9e0f320efebbc425 100644 (file)
--- a/services/api/app/controllers/application_controller.rb
+++ b/services/api/app/controllers/application_controller.rb
@@ -27,6 +27,7 @@ class ApplicationController < ActionController::Base
 
   ERROR_ACTIONS = [:render_error, :render_not_found]
 
+  before_filter :set_cors_headers
   before_filter :respond_with_json_by_default
   before_filter :remote_ip
   before_filter :load_read_auths
@@ -345,6 +346,13 @@ class ApplicationController < ActionController::Base
     end
   end
 
+  def set_cors_headers
+    response.headers['Access-Control-Allow-Origin'] = '*'
+    response.headers['Access-Control-Allow-Methods'] = 'GET, HEAD, PUT, POST, DELETE'
+    response.headers['Access-Control-Allow-Headers'] = 'Authorization'
+    response.headers['Access-Control-Max-Age'] = '86486400'
+  end
+
   def respond_with_json_by_default
     html_index = request.accepts.index(Mime::HTML)
     if html_index.nil? or request.accepts[0...html_index].include?(Mime::JSON)

diff --git a/services/api/app/controllers/static_controller.rb b/services/api/app/controllers/static_controller.rb
index d624ea8c35983dfe745610a195b40c6418a53434..9c66f018723fdfd05c363d744ee45b6fa068fa66 100644 (file)
--- a/services/api/app/controllers/static_controller.rb
+++ b/services/api/app/controllers/static_controller.rb
@@ -3,7 +3,7 @@ class StaticController < ApplicationController
 
   skip_before_filter :find_object_by_uuid
   skip_before_filter :render_404_if_no_object
-  skip_before_filter :require_auth_scope, :only => [ :home, :login_failure ]
+  skip_before_filter :require_auth_scope, only: [:home, :empty, :login_failure]
 
   def home
     respond_to do |f|
@@ -20,4 +20,8 @@ class StaticController < ApplicationController
     end
   end
 
+  def empty
+    render text: "-"
+  end
+
 end

diff --git a/services/api/app/controllers/user_sessions_controller.rb b/services/api/app/controllers/user_sessions_controller.rb
index 3e79915f3cb4fff1438702aa4b70bdd3ca97511c..cdcb720c791f8966cc64e95f6eb7b3cea06c0fd2 100644 (file)
--- a/services/api/app/controllers/user_sessions_controller.rb
+++ b/services/api/app/controllers/user_sessions_controller.rb
@@ -1,6 +1,7 @@
 class UserSessionsController < ApplicationController
   before_filter :require_auth_scope, :only => [ :destroy ]
 
+  skip_before_filter :set_cors_headers
   skip_before_filter :find_object_by_uuid
   skip_before_filter :render_404_if_no_object
 

diff --git a/services/api/config/routes.rb b/services/api/config/routes.rb
index 705822a6a58eb507e2f42261364293e54494dc65..096a0a58981db643bf1c893671e2657e163da14d 100644 (file)
--- a/services/api/config/routes.rb
+++ b/services/api/config/routes.rb
@@ -3,6 +3,9 @@ Server::Application.routes.draw do
 
   # See http://guides.rubyonrails.org/routing.html
 
+  # OPTIONS requests just get an empty response with CORS headers.
+  match '*a', :to => 'static#empty', :via => 'OPTIONS'
+
   namespace :arvados do
     namespace :v1 do
       resources :api_client_authorizations do