Merge pull request #2990 from stevenh512/rack-cors

Cross-Origin Resource Sharing

Gemfile

@@ -8,6 +8,10 @@ gem 'whenever'
 
 gem 'thin', '~> 1.3.1',    :require => false
 
+# cross-origin resource sharing
+
+gem 'rack-cors', '~> 0.2.4', :require => 'rack/cors'
+
 # authentication
 
 gem 'devise', '~> 1.3.1'

Gemfile.lock

@@ -300,6 +300,8 @@ GEM
     polyglot (0.3.3)
     proxies (0.2.1)
     rack (1.2.5)
+    rack-cors (0.2.4)
+      rack
     rack-fiber_pool (0.9.2)
     rack-google-analytics (0.10.0)
     rack-mobile-detect (0.3.0)
@@ -496,6 +498,7 @@ DEPENDENCIES
   omniauth-twitter
   parallel_tests
   pg
+  rack-cors (~> 0.2.4)
   rack-google-analytics
   rack-piwik
   rack-rewrite (~> 1.2.1)

app/controllers/publics_controller.rb

@@ -12,12 +12,11 @@ class PublicsController < ApplicationController
   # We use newrelic_ignore to prevent artifical RPM bloat; however,
   # I am commenting this line out for the time being to debug some apparent
   # issues on Heroku.
-  # 
+  #
   # newrelic_ignore if EnviromentConfiguration.using_new_relic?
 
   skip_before_filter :set_header_data
   skip_before_filter :set_grammatical_gender
-  before_filter :allow_cross_origin, :only => [:hcard, :host_meta, :webfinger]
   before_filter :check_for_xml, :only => [:receive, :receive_public]
   before_filter :authenticate_user!, :only => [:index]
 
@@ -82,12 +81,6 @@ class PublicsController < ApplicationController
   end
 
 
-  def allow_cross_origin
-    headers["Access-Control-Allow-Origin"] = "*"
-  end
-
-
-
   private
 
   def check_for_xml

config/initializers/cors.rb

@@ -0,0 +1,7 @@
+Rails.application.config.middleware.insert 0, Rack::Cors do
+  allow do
+    origins '*'
+    resource '/.well-known/host-meta'
+    resource '/webfinger'
+  end
+end