Where do I apply an 'Access-Control-Allow-Origin' header in a rails application

Question

I am trying to link to a third party authentication page via omniauth in a rails app using ember.js as a client. I am able to redirect my server to the proper url, but I cannot send my client there (causing my server to hang indefinitely in the request phase). My problem is that I need to set the Access-Control-Allow-Origin header somewhere in my application, but I am not sure where. I currently have this (non-working) setup in my application_controller.rb:

class ApplicationController < ActionController::API
  # Force to wants JSON for API
  before_action :api_request_settings, :cors_preflight_check

  after_action :cors_set_access_control_headers

  def cors_preflight_check
    p 'hits cors preflight check'
    if request.method == :options
      headers['Access-Control-Allow-Origin'] = '*'
      headers['Access-Control-Allow-Methods'] = 'POST, GET, OPTIONS'
      headers['Access-Control-Allow-Headers'] = '*'
      headers['Access-Control-Request-Method'] = '*'
      headers['Access-Control-Max-Age'] = '1728000'
      render :text => '', :content_type => 'text/plain'
    end
  end

  def api_request_settings
    p request.headers
    request.format = :json
  end

  def cors_set_access_control_headers
    p 'hits cors acces set control headers'
    headers['Access-Control-Allow-Origin'] = '*'
    headers['Access-Control-Allow-Methods'] = 'POST, GET, OPTIONS'
    headers['Access-Control-Allow-Headers'] = '*'
    headers['Access-Control-Request-Method'] = '*'
    headers['Access-Control-Max-Age'] = "1728000"
  end

What am I doing wrong and where should I put these headers to send my client to the landing page?

Answer 1

We are using a GEM that handles it in rack: https://github.com/cyu/rack-cors