Same origin policy kicking in combined method run in package.rb

[rycfung]

I encountered a case where one of my css are not being rendered in production.

Here's my css specification:

        serve '/css',    from: 'public/css'       # Default
        Less.paths << File.join(App.root, 'public/css')
        css :login, '/css/login_css.css', [
            '/css/normalize.css',
            '/css/bootstrap.css',
            '/css/login.css'
        ]

Login.css is never included in login_css.css in production. As if it's not frustrating enough that a css is missing in the compiled production css, I added some debugging lines in the combined method in package.rb:

def combined
        session = Rack::Test::Session.new(@assets.app)
        paths.map { |path|
          puts path
          result = session.get(path)
                puts result
          if result.body.respond_to?(:force_encoding)
            response_encoding = result.content_type.split(/;\s*charset\s*=\s*/).last.upcase rescue 'ASCII-8BIT'
            result.body.force_encoding(response_encoding).encode(Encoding.default_external || 'ASCII-8BIT')  if result.status == 200
                puts result.body
          else

            result.body  if result.status == 200
          end
        }.join("\n")
      end

Surprisingly, I'm getting a CORS exception:

/css/login.css
302
{"Content-Type"=>"text/html;charset=utf-8", "Location"=>"https://example.org/css/login.css", "Content-Length"=>"0", "X-XSS-Protection"=>"1; mode=block", "X-Content-Type-Options"=>"nosniff", "X-Frame-Options"=>"SAMEORIGIN"}
#<Rack::BodyProxy:0x0000000512ad18>

Not sure why I getting SAMEORIGIN error when I'm merely having my css compiled, and everything is referenced with relative path. Also, not sure about the https://example.org/css/login.css