From b40b4d4df32ecd1adf2cedebe5658c949133d154 Mon Sep 17 00:00:00 2001
From: Thibault Jouan <tj@a13.fr>
Date: Thu, 3 May 2012 20:58:33 +0000
Subject: [PATCH] Fix use of nil in CORS filter when request doesn't have an
 Origin header

---
 app/controllers/api/application_controller.rb     | 4 +++-
 spec/integration/api/cross_origin_request_spec.rb | 7 +++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/app/controllers/api/application_controller.rb b/app/controllers/api/application_controller.rb
index 18cda2d..5bc60e0 100644
--- a/app/controllers/api/application_controller.rb
+++ b/app/controllers/api/application_controller.rb
@@ -5,7 +5,9 @@ class Api::ApplicationController < ApplicationController
   before_filter :cor_filter
 
   def cor_filter
-    headers['Access-Control-Allow-Origin'] = request.headers['Origin']
+    headers['Access-Control-Allow-Origin'] = request.headers['Origin'] ?
+      request.headers['Origin'] :
+      ''
     headers['Access-Control-Allow-Credentials'] = 'true'
   end
 
diff --git a/spec/integration/api/cross_origin_request_spec.rb b/spec/integration/api/cross_origin_request_spec.rb
index c11ffae..cbb552b 100644
--- a/spec/integration/api/cross_origin_request_spec.rb
+++ b/spec/integration/api/cross_origin_request_spec.rb
@@ -40,4 +40,11 @@ feature 'API cross origin request' do
     response.headers['Access-Control-Allow-Origin'].should == origin
     response.headers['Access-Control-Allow-Credentials'].should == 'true'
   end
+
+  scenario 'request without origin' do
+    # FIXME: replace with a more stable/generic action
+    get api_playlists_path(:format => :json)
+
+    response.headers['Access-Control-Allow-Origin'].should == ''
+  end
 end