Cors config

[zaratan]

Why ?

For now, everything is wonderful and your api live in its own world. But soon™ it will need to talk to a JS page that will probably live in an other domain.

For example your API could be accessible at:

api.my_nice_service.com

Your JS front at:

www.my_nice_service.com

As soon as you will want to make a new query to your API from your front:

Failed to load https://api.my_nice_service.com/: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.
Cross-Origin Read Blocking (CORB) blocked cross-origin response https://api.my_nice_service.com/ with MIME type text/html.

Must have

• Add rack-cors.
• Add proper CORS policies
• Must work with authentication

Todo

• [ ] Add the gem
• [ ] Use the default gem configuration
• [ ] Add the fields relative to the auth headers we need (by default, CORS block every header not declared and we use this for authentication)
• [ ] Add all the url that might be valid and not just * let's make sure only your JS frontend work

Reading list

• [ ] https://www.codecademy.com/articles/what-is-cors
• [ ] https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS