skip to Main Content

I am having a devise user model.

To login I am using twitter-bootstrap modal.The modal is by default hidden and shown only after an rails default ajax request is send to the server.

It works fine with localhost and production. But when a user is on a subdomain(using acts_as_tenant) like the modal window does not pop up and the ajax request fails.

I am sharing the session across all the domains.

My SessionStore initializer.

> Rails.application.config.session_store :active_record_store, :key =>
> '_my_app_session',domain: ''

PFB the error.log for the same.

  Rendered remote_content/_remote_sign_up.html.erb (78.8ms)
  Rendered remote_content/remote_sign_up.js.erb (86.2ms)
Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.
Completed 422 Unprocessable Entity in 100ms (Views: 96.1ms | ActiveRecord: 1.6ms)

ActionController::InvalidCrossOriginRequest - Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.:
  actionpack (4.2.4) lib/action_controller/metal/request_forgery_protection.rb:225:in `verify_same_origin_request'
  activesupport (4.2.4) lib/active_support/callbacks.rb:432:in `block in make_lambda'
  activesupport (4.2.4) lib/active_support/callbacks.rb:239:in `block in halting'
  activesupport (4.2.4) lib/active_support/callbacks.rb:506:in `block in call'
  activesupport (4.2.4) lib/active_support/callbacks.rb:506:in `call'
  activesupport (4.2.4) lib/active_support/callbacks.rb:92:in `__run_callbacks__'
  activesupport (4.2.4) lib/active_support/callbacks.rb:778:in `_run_process_action_callbacks'
  activesupport (4.2.4) lib/active_support/callbacks.rb:81:in `run_callbacks'
  actionpack (4.2.4) lib/abstract_controller/callbacks.rb:19:in `process_action'
  actionpack (4.2.4) lib/action_controller/metal/rescue.rb:29:in `process_action'
  actionpack (4.2.4) lib/action_controller/metal/instrumentation.rb:32:in `block in process_action'
  activesupport (4.2.4) lib/active_support/notifications.rb:164:in `block in instrument'
  activesupport (4.2.4) lib/active_support/notifications/instrumenter.rb:20:in `instrument'
  activesupport (4.2.4) lib/active_support/notifications.rb:164:in `instrument'
  actionpack (4.2.4) lib/action_controller/metal/instrumentation.rb:30:in `process_action'
  actionpack (4.2.4) lib/action_controller/metal/params_wrapper.rb:250:in `process_action'
  activerecord (4.2.4) lib/active_record/railties/controller_runtime.rb:18:in `process_action'
  actionpack (4.2.4) lib/abstract_controller/base.rb:137:in `process'
  actionview (4.2.4) lib/action_view/rendering.rb:30:in `process'
  actionpack (4.2.4) lib/action_controller/metal.rb:196:in `dispatch'
  actionpack (4.2.4) lib/action_controller/metal/rack_delegation.rb:13:in `dispatch'
  actionpack (4.2.4) lib/action_controller/metal.rb:237:in `block in action'
  actionpack (4.2.4) lib/action_dispatch/routing/route_set.rb:76:in `dispatch'
  actionpack (4.2.4) lib/action_dispatch/routing/route_set.rb:45:in `serve'
  actionpack (4.2.4) lib/action_dispatch/journey/router.rb:43:in `block in serve'
  actionpack (4.2.4) lib/action_dispatch/journey/router.rb:30:in `serve'
  actionpack (4.2.4) lib/action_dispatch/routing/route_set.rb:821:in `call'
  warden (1.2.3) lib/warden/manager.rb:35:in `block in call'
  warden (1.2.3) lib/warden/manager.rb:34:in `call'
  rack (1.6.4) lib/rack/etag.rb:24:in `call'
  rack (1.6.4) lib/rack/conditionalget.rb:25:in `call'
  rack (1.6.4) lib/rack/head.rb:13:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/params_parser.rb:27:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/flash.rb:260:in `call'
  rack (1.6.4) lib/rack/session/abstract/id.rb:225:in `context'
  rack (1.6.4) lib/rack/session/abstract/id.rb:220:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/cookies.rb:560:in `call'
  activerecord (4.2.4) lib/active_record/query_cache.rb:36:in `call'
  activerecord (4.2.4) lib/active_record/connection_adapters/abstract/connection_pool.rb:653:in `call'
  activerecord (4.2.4) lib/active_record/migration.rb:377:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
  activesupport (4.2.4) lib/active_support/callbacks.rb:88:in `__run_callbacks__'
  activesupport (4.2.4) lib/active_support/callbacks.rb:778:in `_run_call_callbacks'
  activesupport (4.2.4) lib/active_support/callbacks.rb:81:in `run_callbacks'
  actionpack (4.2.4) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/reloader.rb:73:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/remote_ip.rb:78:in `call'
  better_errors (2.1.1) lib/better_errors/middleware.rb:84:in `protected_app_call'
  better_errors (2.1.1) lib/better_errors/middleware.rb:79:in `better_errors_call'
  better_errors (2.1.1) lib/better_errors/middleware.rb:57:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
  web-console (2.2.1) lib/web_console/middleware.rb:39:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
  railties (4.2.4) lib/rails/rack/logger.rb:38:in `call_app'
  railties (4.2.4) lib/rails/rack/logger.rb:20:in `block in call'
  activesupport (4.2.4) lib/active_support/tagged_logging.rb:68:in `block in tagged'
  activesupport (4.2.4) lib/active_support/tagged_logging.rb:26:in `tagged'
  activesupport (4.2.4) lib/active_support/tagged_logging.rb:68:in `tagged'
  railties (4.2.4) lib/rails/rack/logger.rb:20:in `call'
  request_store (1.2.0) lib/request_store/middleware.rb:8:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/request_id.rb:21:in `call'
  rack (1.6.4) lib/rack/methodoverride.rb:22:in `call'
  rack (1.6.4) lib/rack/runtime.rb:18:in `call'
  activesupport (4.2.4) lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
  rack (1.6.4) lib/rack/lock.rb:17:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/static.rb:116:in `call'
  rack (1.6.4) lib/rack/sendfile.rb:113:in `call'
  railties (4.2.4) lib/rails/engine.rb:518:in `call'
  railties (4.2.4) lib/rails/application.rb:165:in `call'
  rack (1.6.4) lib/rack/content_length.rb:15:in `call'
  puma (2.9.2) lib/puma/server.rb:490:in `handle_request'
  puma (2.9.2) lib/puma/server.rb:361:in `process_client'
  puma (2.9.2) lib/puma/server.rb:254:in `block in run'
  puma (2.9.2) lib/puma/thread_pool.rb:92:in `block in spawn_thread'



  1. Chosen as BEST ANSWER

    I fixed the issue by using

    <%= link_to "login", remote_login_url, :remote => true%>

    instead of

    <%= link_to('login', remote_login_url(:subdomain => 'www')),:remote => true  %>  

    And changing the default after sign up and sign in paths for devise registrations and sessions controller.

    And as suggested by Rich using Rack-CORS would be helpful in these situations while dealing with ajax and subdomains.

  2. You’ve hit a problem with CORS (Cross Origin Request Source).

    This is a standard specification designed to prevent malicious XML requests through JS — simply, it means you cannot send uninvited XML requests to other servers; they have to be permitted through that server’s CORS policy.

    Rack CORS

    The important thing for you to note is that the CORS spec extends to subdomains (it treats a subdomain as completely different to a domain).

    This means you have to explicitly permit your subdomains in your CORS policy on the server. You can either do this through your web server (EG NGinx or Apache), or through the Rack Middleware stack.

    For Rails, there is a very very very very good gem which handles CORS, called Rack-CORS

    gem "rack-cors"
    module YourApp
      class Application < Rails::Application
        # ...
        config.middleware.insert_before 0, "Rack::Cors" do
          allow do
            origins '*'
            resource '/*',
              :headers => :any,
              :methods => [:get, :post, :options],
              :if => proc { |env| env['HTTP_HOST'] == '' }

    Because you’re sending an AJAX request across your subdomains, your server is treating that as if two completely separate domains are trying to access each other with Ajax.

    Of course, we know this is not the case, but CORS doesn’t.

    Thus, if you want to fix it, you should apply the code above, with your own subdomain for HTTP_HOST.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top