Impossible to support CORS and non-CORS simultaneously?

[jamesarosen]

I have a single app. I want to accept same-origin requests on /foo and cross-origin requests on /bar.

If I do this:

app.use Rack::CorsGateOriginProcessor

app.use Rack::Cors do
  allow do
    resource /bar, credentials: true, methods: :any
  end
end

Rack::CorsGate

Then env['rack.cors'] will be a miss for requests to /foo. That, in turn, will lead to Rack::CorsGate returning a 403.

Shouldn't the logic be more like

def is_allowed(env, origin, method)
  return true if @allow_safe && ['GET', 'HEAD'].include?(method.upcase)
  return true if !@strict && origin.nil?
  return true if same_origin_request?(env) # CorsGate doesn't apply to same-origin requests
  env['rack.cors'].hit?
end

Or am I completely missing how this is supposed to work?

[jamesarosen]

Or -- and this is closer to my real use-case -- I want to allow same-origin and cross-origin requests to the same resources:

app.use Rack::Cors do
  allow do
    origins do |origin, env|
      origin == 'www.example.com' && Rack::Request.new(env).host == 'api.example.com'
    end

    resource /api/*, credentials: true, methods: :any
  end
end

I wouldn't want "CORS" requests from www to www. Nor would I want Rack::CorsGate to block those.

[jamesarosen]

A related problem: if the application also serves HTML traffic, Rack::CorsGateOriginProcessor will probably do the wrong thing. Example:

1. User goes to https://my-search-engine.com and types in My Site
2. User clicks link to https://mysite.example.com
3. Browser makes GET https://mysite.example.com with Referer: my-search-engine.com
4. Rack::CorsGateOriginProcessor sets Origin: my-search-engine.com
5. Rack::Cors marks the request as a CORS miss (since my-search-engine.com shouldn't be making CORS requests)
6. Rack::CorsGate blocks the request

There are a few ways to get around this. One is to wrap Rack::CorsGate in a middleware that checks whether the request is an API request:

class CORSAPIGate
  API_PATHS = %r{^/api/}

  def intialize(app)
    @bare_app = app
    @cors_app = Rack::CorsGate.new(app)
  end

  def call(env)
    request = Rack::Request.new(env)
    @req.path =~ API_PATHS ? @cors_app.call(env) : @bare_app.call(env)
  end
end