Cross-Origin Resource Sharing

Remove partial support for CORS on webfinger routes and replace
it with the Rack::Cors middleware. This provides more complete
CORS support and works around a caching issue with nginx on
Heroku and potentially other reverse proxies.

CORS headers are only added if the incoming request includes
an "Origin" header, which seems to be correct according to
the CORS spec.

closes #2216

Gemfile

@@ -8,6 +8,10 @@ gem 'whenever'
 
 gem 'thin', '~> 1.3.1',    :require => false
 
+# cross-origin resource sharing
+
+gem 'rack-cors', '~> 0.2.4', :require => 'rack/cors'
+
 # authentication
 
 gem 'devise', '~> 1.3.1'

Gemfile.lock

@@ -300,6 +300,8 @@ GEM
     polyglot (0.3.3)
     proxies (0.2.1)
     rack (1.2.5)
+    rack-cors (0.2.4)
+      rack
     rack-fiber_pool (0.9.2)
     rack-google-analytics (0.10.0)
     rack-mobile-detect (0.3.0)
@@ -496,6 +498,7 @@ DEPENDENCIES
   omniauth-twitter
   parallel_tests
   pg
+  rack-cors (~> 0.2.4)
   rack-google-analytics
   rack-piwik
   rack-rewrite (~> 1.2.1)

app/controllers/publics_controller.rb

@@ -17,7 +17,6 @@ class PublicsController < ApplicationController
 
   skip_before_filter :set_header_data
   skip_before_filter :set_grammatical_gender
-  before_filter :allow_cross_origin, :only => [:hcard, :host_meta, :webfinger]
   before_filter :check_for_xml, :only => [:receive, :receive_public]
   before_filter :authenticate_user!, :only => [:index]
 
@@ -82,12 +81,6 @@ class PublicsController < ApplicationController
   end
 
 
-  def allow_cross_origin
-    headers["Access-Control-Allow-Origin"] = "*"
-  end
-
-
-
   private
 
   def check_for_xml

config/initializers/cors.rb

@@ -0,0 +1,7 @@
+Rails.application.config.middleware.insert 0, Rack::Cors do
+  allow do
+    origins '*'
+    resource '/.well-known/host-meta'
+    resource '/webfinger'
+  end
+end