Open HoneyryderChuck opened 12 years ago
Actually, after reading a bit more, the right solution would be defining a list of allowed domains, and then check the ORIGIN header field for the font resource request. If it belongs to the list of allowed domains, then fill the Access-Control-Allow-Origin field with the respective domain and ship the response.
I got a temporary work around working. Basically I rewrote some of the logic of the middleware in an intializer:
module FontAssets
class Middleware
def call(env)
origin = env["HTTP_ORIGIN"]
# intercept the "preflight" request
if env["REQUEST_METHOD"] == "OPTIONS"
return [200, access_control_headers(origin), []]
else
code, headers, body = @app.call(env)
set_headers! headers, body, env["PATH_INFO"], origin
[code, headers, body]
end
end
def access_control_headers(origin)
return {} unless allowed_origin?(origin)
{
"Access-Control-Allow-Origin" => origin,
"Access-Control-Allow-Methods" => "GET",
"Access-Control-Allow-Headers" => "x-requested-with",
"Access-Control-Max-Age" => "3628800"
}
end
private
def set_headers!(headers, body, path, origin)
if ext = extension(path) and font_asset?(ext) and allowed_origin?(origin)
headers.merge!(access_control_headers(origin))
headers.merge!('Content-Type' => mime_type(ext)) if headers['Content-Type']
end
end
def allowed_origin?(origin)
@origin.include?(origin)
end
end
end
It is not optimal, but it does the trick now. But instead of assigning a domain in application.rb, I have to assign an array of domains. I've noticed that the set_headers! function takes the body parameter needlessly. I'll try to work on this a bit more, but tell me what you think meanwhile.
This is the right approach but has one issue with cloundfront as they don't support the vary
header and will cache whatever domain's "Access-Control-Allow-Origin" header gets served first. (The vary
header tells caches use headers and not just urls in their cache keys.)
Hi man,
Great gem you got there. I'm just missing something: What if I want to had more than one domain? Thing is, the way the Access-Control-Allow-Origin header field should work, the field has to be repeated in the header:
Access-Control-Allow-Origin: http://example.com Access-Control-Allow-Origin. https://example.com
At least that's what I read, comma separation doesn't work in this case.
Regards, Tiago