I am trying to use Rack::Cors with my Rails 4 application so that I can do a JSON based API.

CORS is in my Gemfile like this:

gem 'rack-cors', :require => 'rack/cors'

I am doing the configuration in my application.rb file like this:

config.middleware.insert_after Rails::Rack::Logger, Rack::Cors, :debug => true, :logger => Rails.logger do
    allow do
        origins '*'
        resource '/messages*', :headers => :any, :methods => [:post, :options]
    end
end

I am inserting after Rails::Rack::Logger in an attempt to get debugging information.

I am using CURL to test it, here is what I have been running:

curl --verbose --request OPTIONS http://jasonbutzinfo.herokuapp.com/messages.json --header 'Origin: http://www.jasonbutz.info' --header 'Access-Control-Request-Headers: Origin, Accept, Content-Type' --header 'Access-Control-Request-Method: POST'

When I run the rails app on my local machine it works without issue. When I hit the Heroku app this is what I get:

> OPTIONS /messages.json HTTP/1.1
> User-Agent: curl/7.30.0
> Host: jasonbutzinfo.herokuapp.com
> Accept: */*
> Origin: http://www.jasonbutz.info
> Access-Control-Request-Headers: Origin, Accept, Content-Type
> Access-Control-Request-Method: POST
> 
* Empty reply from server
* Connection #0 to host jasonbutzinfo.herokuapp.com left intact
curl: (52) Empty reply from server

I did find this question (Can't get rack-cors working in rails application), but there wasn't any helpful answer provided.

Update 11/13/2013 16:40 EST

I've been trying to do some more debugging with what is going on. I have monkey patched a few of Rack::Cors' methods to see if they are even being called on Heroku. I have also changed where I insert Cors to be at the top of the rack middleware stack.

With my monkey patching I have put puts statements in the initialize, call, and allow methods. The initialize and allow methods are both called. The call method is never called. So it seems there is something that is stopping the request before it gets to the cors middleware.

I ran into the same problem with heroku. I found this blog with the same rack-cors issue.

Just moved the use Rack::Cors to config.ru, redeployed to heroku and it works.

require ::File.expand_path('../config/environment',  __FILE__)
run Rails.application

require 'rack/cors'
use Rack::Cors do

  # allow all origins in development
  allow do
    origins '*'
    resource '*', 
        :headers => :any, 
        :methods => [:get, :post, :delete, :put, :options]
  end
end

It looks like the issue is being caused by my machine or the network I am on. I SSHed into a hosting environment I use and used the curl command above and it worked.

Additional Note Here is something else that just happened that I thought I ought to add to this. My AJAX request was not to the https URL for my Heroku app, but Heroku was translating it be https. This was causing an additional cross-origin issue. Switching to use https for the AJAX request fixed this.

Ok thanks to Jason I was able to figure out the root cause for me. I had the Cisco AnyConnect VPN client installed and it was blocking CORS requests.

You can find out more here: http://www.bennadel.com/blog/2559-Cisco-AnyConnect-VPN-Client-May-Block-CORS-AJAX-OPTIONS-Requests.htm

Uninstalling it all of a sudden allowed everything to work!

I was having a similar problem, I could not read Location header from the response in angularjs, even though I could see it in chrome's dev tools. I had the Rack::Cors set like this:

config.middleware.insert_before "ActionDispatch::Static", "Rack::Cors" do
    allow do
        origins '*'
        resource '*',
            headers: :any,
            methods: [:get, :post, :delete, :put, :patch, :options, :head],
            max_age: 0
        end
    end

The solution for me was to add the location to the :expose option, and after that I could see it in angularjs:

config.middleware.insert_before "ActionDispatch::Static", "Rack::Cors" do
    allow do
        origins '*'
        resource '*',
            headers: :any,
            methods: [:get, :post, :delete, :put, :patch, :options, :head],
            max_age: 0,
            expose: :location
        end
    end

Try

config.middleware.insert_before ActionDispatch::Static, Rack::Cors do
  # ...
end