CORS Support

Enabling CORS is simple. You just set config.cors in the config/application.rb file. Here’s an example:

config/application.rb:

Jets.application.configure do
  # ...
  config.cors = true
end

A config.cors = true will add a response header with Access-Control-Allow-Origin='*'.

Specific Domain

If you would like more specificity for the Access-Control-Allow-Origin header then you can set the domain name like so:

Jets.application.configure do
  # ...
  config.cors = "*.mydomain.com"
end

The example above adds a response header with Access-Control-Allow-Origin='*.mydomain.com'.

Full Customization

If you need full customization of the CORS response headers, you can set config.cors as a Hash.

Jets.application.configure do
  # ...
  config.cors = {
    "access-control-allow-origin" => "*.mydomain.com",
    "access-control-allow-credentials" => true,
  }
end

If you need to control the extra headers added as part pre-flight OPTIONS request you can set config.cors_preflight:

Jets.application.configure do
  # ...
  config.cors_preflight = {
    "access-control-allow-methods" => "DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT",
    "access-control-allow-headers" => "Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent",
  }
  end

Authorization Type

By default, OPTIONS requests will have an authorization_type = "NONE". This allows libraries and frameworks like AWS Amplify to use this HTTP endpoint to send an unsigned preflight request. For some reason if you want to specify authorization_type for the OPTIONS request, you can do this:

Jets.application.configure do
  # ...
  config.api.cors_authorization_type = "CUSTOM" # default is "NONE"
end

More info: Routes Authorization