From 7de642ccb2c6082708f564b1f1de451ba48cfeb0 Mon Sep 17 00:00:00 2001
From: Devin Howard <devin@callysto.com>
Date: Tue, 5 Apr 2016 10:12:12 +0800
Subject: [PATCH 1/2] add rack-cors; fix #531

---
 Gemfile                     | 1 +
 Gemfile.lock                | 2 ++
 config/initializers/cors.rb | 8 ++++++++
 3 files changed, 11 insertions(+)
 create mode 100644 config/initializers/cors.rb

diff --git a/Gemfile b/Gemfile
index 1a129d7b..26bd64f6 100644
--- a/Gemfile
+++ b/Gemfile
@@ -18,6 +18,7 @@ gem 'kaminari' # pagination
 gem 'uservoice-ruby'
 gem 'dotenv'
 gem 'snorlax'
+gem 'rack-cors'
 gem 'httparty'
 gem 'active_model_serializers', '~> 0.8.1'
 gem 'delayed_job', '~> 4.0.2'
diff --git a/Gemfile.lock b/Gemfile.lock
index 6a522642..44873eda 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -160,6 +160,7 @@ GEM
     quiet_assets (1.1.0)
       railties (>= 3.1, < 5.0)
     rack (1.6.4)
+    rack-cors (0.4.0)
     rack-test (0.6.3)
       rack (>= 1.0)
     rails (4.2.4)
@@ -286,6 +287,7 @@ DEPENDENCIES
   pundit
   pundit_extra
   quiet_assets
+  rack-cors
   rails (= 4.2.4)
   rails3-jquery-autocomplete
   rails_12factor
diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb
new file mode 100644
index 00000000..6fd69b6a
--- /dev/null
+++ b/config/initializers/cors.rb
@@ -0,0 +1,8 @@
+Rails.application.config.middleware.insert_before 0, Rack::Cors do
+  allow do
+    origins '*'
+    resource '*',
+      headers: :any,
+      methods: [:get, :post, :put, :delete, :options, :head]
+  end
+end

From e27d64e64384a432297f2446683b782eb4e860d1 Mon Sep 17 00:00:00 2001
From: Devin Howard <devin@callysto.com>
Date: Wed, 6 Apr 2016 20:09:25 +0800
Subject: [PATCH 2/2] only allow cors on api routes

---
 config/initializers/cors.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb
index 6fd69b6a..092bbeaf 100644
--- a/config/initializers/cors.rb
+++ b/config/initializers/cors.rb
@@ -1,7 +1,7 @@
 Rails.application.config.middleware.insert_before 0, Rack::Cors do
   allow do
     origins '*'
-    resource '*',
+    resource '/api/*',
       headers: :any,
       methods: [:get, :post, :put, :delete, :options, :head]
   end