Implement Cross-Origin Resource Sharing:

* Add Api::ApplicationController
* Route OPTION requests (CORS preflight) to API application controller
* Filter all API requests through #cor_filter in API application
  controller

spec/controllers/api/application_controller_spec.rb

@@ -0,0 +1,49 @@
+require 'spec_helper'
+
+describe Api::ApplicationController do
+  before do
+    controller.current_user = Factory.create(:user)
+  end
+
+  context 'CORS: Cross-Origin Ressource Sharing' do
+    before do
+      request.env['Origin'] = 'http://origin.example/'
+    end
+
+    context 'preflight' do
+      controller(Api::ApplicationController) do
+        alias_method :index, :cor_preflight
+      end
+
+      def options(action)
+        process action, nil, nil, nil, 'OPTIONS'
+      end
+
+      it 'sets Access-Control-Allow-Methods header' do
+        options :index
+        response.headers['Access-Control-Allow-Methods'].should ==
+          'GET, POST, PUT, DELETE'
+      end
+
+      it 'sets Access-Control-Allow-Methods header' do
+        options :index
+        response.headers['Access-Control-Allow-Headers'].should ==
+          'Content-Type, X-Requested-With'
+      end
+    end
+
+    describe 'before filter' do
+      controller(Api::ApplicationController) do
+        def index
+          head :ok
+        end
+      end
+
+      it 'sets Access-Control-Allow-Origin header' do
+        get :index
+        response.headers['Access-Control-Allow-Origin'].should ==
+          request.env['Origin']
+      end
+    end
+  end
+end