Access-Control-Allow-Origin is returned only if Origin header is set

This issue is 3 years old, but this strict interpretation is indeed causing us issues as described by folks above. In particular, we would like to cache a VERY specific set of headers as our response for our javascript files, regardless of whether the origin is set. By varying the responses based on the request, it is possible for us to have the wrong responses get set in our CDN’s cache, which causes subsequent valid requests to fail.

We might have to manually add these headers as suggested, but I welcome other suggestions or options to force this header.

On a related note, imagine that we have a very particular domain (example.com) that we’d like to specify as a valid origin. So, we’d like to always respond with the header: Access-Control-Allow-Origin: http://example.com, regardless of which origin was used in the request. At present, even if we do specify a origin, if we specify an origin other than example.com, the CORS headers are not returned. I realize that this is to spec, but is there a way to force these headers to show up, even if the origin is incorrect?

We couldn’t use the workaround suggested by @snikch as adding Vary: Origin prevents our CDN from caching any requests, so we ended up writing another middleware to inject a fake Origin header into all requests before they hit rack-cors:

class InjectOriginHeaderMiddleware
  def initialize(app)
    @app = app
  end

  def call(env)
    # Force rack-cors to always return Access-Control-Allow-Origin
    # by always setting the "Origin:" header in the request
    env['HTTP_ORIGIN'] ||= 'force-CORS'
    @app.call(env)
  end
end

In application.rb:

config.middleware.insert_before Rack::Cors, "InjectOriginHeaderMiddleware"