No 'Access-Control-Allow-Origin' header is present in Rails API backend

Question

I have a jsonapi-resources backend api in Rails. I am able to request data using curl as well as in Python.

When I try using jQuery for the request I get the following error in the browser:

XMLHttpRequest cannot load https://shop-api-3.herokuapp.com/customers?filter%5Bshop_token%5D=9e3c9769b752436ddbd27597cf946a36. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. The response had HTTP status code 404.

So I added this to config/environments/production.rb:

  config.action_dispatch.default_headers = {
      'Access-Control-Allow-Headers' => 'Origin, X-Requested-With, Content-Type, Accept, Authorization',
      'Access-Control-Allow-Origin' => '*',
      'Access-Control-Request-Method' => '*',
      'X-Frame-Options' => 'ALLOWALL'
    }

However, I'm still getting the same error. What am I missing?

FWIW, this is my curl command:

curl -i -H "Accept: application/vnd.api+json" "https://app.herokuapp.com/retentions?filter%5Bshop_token%

5D=ABC123"

Using Rails 4

Answer 1

I had this same issue a month ago and after reading a lot of blogposts, I solved it by...

So it looks like you are requesting an api token, on another server using jquery(from the browser) rather than doing this, request it from ur server and ounce you get it pass it to the client and then you can do whatever you want, this should do the trick.

My understanding of this CORS is you cant do browser to server, you have to do it from server(your domain) to server(the api that you are accessing).

Hope this helps!