Login modal using default rails ajax request not working with subdomains

I am having a devise user model.

To login I am using twitter-bootstrap modal.The modal is by default
hidden and shown only after an rails default ajax request is send to the
server.

It works fine with localhost and production. But when a user is on a
subdomain(using acts_as_tenant) like business.lvh.me:3000 the modal
window does not pop up and the ajax request fails.

I am sharing the session across all the domains.

My SessionStore initializer.

Rails.application.config.session_store :active_record_store, :key =>
'_my_app_session',domain: 'lvh.me'

PFB the error.log for the same.

  Rendered remote_content/_remote_sign_up.html.erb (78.8ms)
  Rendered remote_content/remote_sign_up.js.erb (86.2ms)
Security warning: an embedded <script> tag on another site requested
protected JavaScript. If you know what you're doing, go ahead and
disable forgery protection on this action to permit cross-origin
JavaScript embedding.
Completed 422 Unprocessable Entity in 100ms (Views: 96.1ms |
ActiveRecord: 1.6ms)

ActionController::InvalidCrossOriginRequest - Security warning: an
embedded <script> tag on another site requested protected JavaScript. If
you know what you're doing, go ahead and disable forgery protection on
this action to permit cross-origin JavaScript embedding.:
  actionpack (4.2.4)
lib/action_controller/metal/request_forgery_protection.rb:225:in
`verify_same_origin_request'
  activesupport (4.2.4) lib/active_support/callbacks.rb:432:in `block in
make_lambda'
  activesupport (4.2.4) lib/active_support/callbacks.rb:239:in `block in
halting'
  activesupport (4.2.4) lib/active_support/callbacks.rb:506:in `block in
call'
  activesupport (4.2.4) lib/active_support/callbacks.rb:506:in `call'
  activesupport (4.2.4) lib/active_support/callbacks.rb:92:in
`__run_callbacks__'
  activesupport (4.2.4) lib/active_support/callbacks.rb:778:in
`_run_process_action_callbacks'
  activesupport (4.2.4) lib/active_support/callbacks.rb:81:in
`run_callbacks'
  actionpack (4.2.4) lib/abstract_controller/callbacks.rb:19:in
`process_action'
  actionpack (4.2.4) lib/action_controller/metal/rescue.rb:29:in
`process_action'
  actionpack (4.2.4)
lib/action_controller/metal/instrumentation.rb:32:in `block in
process_action'
  activesupport (4.2.4) lib/active_support/notifications.rb:164:in
`block in instrument'
  activesupport (4.2.4)
lib/active_support/notifications/instrumenter.rb:20:in `instrument'
  activesupport (4.2.4) lib/active_support/notifications.rb:164:in
`instrument'
  actionpack (4.2.4)
lib/action_controller/metal/instrumentation.rb:30:in `process_action'
  actionpack (4.2.4)
lib/action_controller/metal/params_wrapper.rb:250:in `process_action'
  activerecord (4.2.4)
lib/active_record/railties/controller_runtime.rb:18:in `process_action'
  actionpack (4.2.4) lib/abstract_controller/base.rb:137:in `process'
  actionview (4.2.4) lib/action_view/rendering.rb:30:in `process'
  actionpack (4.2.4) lib/action_controller/metal.rb:196:in `dispatch'
  actionpack (4.2.4)
lib/action_controller/metal/rack_delegation.rb:13:in `dispatch'
  actionpack (4.2.4) lib/action_controller/metal.rb:237:in `block in
action'
  actionpack (4.2.4) lib/action_dispatch/routing/route_set.rb:76:in
`dispatch'
  actionpack (4.2.4) lib/action_dispatch/routing/route_set.rb:45:in
`serve'
  actionpack (4.2.4) lib/action_dispatch/journey/router.rb:43:in `block
in serve'
  actionpack (4.2.4) lib/action_dispatch/journey/router.rb:30:in `serve'
  actionpack (4.2.4) lib/action_dispatch/routing/route_set.rb:821:in
`call'
  warden (1.2.3) lib/warden/manager.rb:35:in `block in call'
  warden (1.2.3) lib/warden/manager.rb:34:in `call'
  rack (1.6.4) lib/rack/etag.rb:24:in `call'
  rack (1.6.4) lib/rack/conditionalget.rb:25:in `call'
  rack (1.6.4) lib/rack/head.rb:13:in `call'
  actionpack (4.2.4)
lib/action_dispatch/middleware/params_parser.rb:27:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/flash.rb:260:in
`call'
  rack (1.6.4) lib/rack/session/abstract/id.rb:225:in `context'
  rack (1.6.4) lib/rack/session/abstract/id.rb:220:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/cookies.rb:560:in
`call'
  activerecord (4.2.4) lib/active_record/query_cache.rb:36:in `call'
  activerecord (4.2.4)
lib/active_record/connection_adapters/abstract/connection_pool.rb:653:in
`call'
  activerecord (4.2.4) lib/active_record/migration.rb:377:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/callbacks.rb:29:in
`block in call'
  activesupport (4.2.4) lib/active_support/callbacks.rb:88:in
`__run_callbacks__'
  activesupport (4.2.4) lib/active_support/callbacks.rb:778:in
`_run_call_callbacks'
  activesupport (4.2.4) lib/active_support/callbacks.rb:81:in
`run_callbacks'
  actionpack (4.2.4) lib/action_dispatch/middleware/callbacks.rb:27:in
`call'
  actionpack (4.2.4) lib/action_dispatch/middleware/reloader.rb:73:in
`call'
  actionpack (4.2.4) lib/action_dispatch/middleware/remote_ip.rb:78:in
`call'
  better_errors (2.1.1) lib/better_errors/middleware.rb:84:in
`protected_app_call'
  better_errors (2.1.1) lib/better_errors/middleware.rb:79:in
`better_errors_call'
  better_errors (2.1.1) lib/better_errors/middleware.rb:57:in `call'
  actionpack (4.2.4)
lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
  web-console (2.2.1) lib/web_console/middleware.rb:39:in `call'
  actionpack (4.2.4)
lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
  railties (4.2.4) lib/rails/rack/logger.rb:38:in `call_app'
  railties (4.2.4) lib/rails/rack/logger.rb:20:in `block in call'
  activesupport (4.2.4) lib/active_support/tagged_logging.rb:68:in
`block in tagged'
  activesupport (4.2.4) lib/active_support/tagged_logging.rb:26:in
`tagged'
  activesupport (4.2.4) lib/active_support/tagged_logging.rb:68:in
`tagged'
  railties (4.2.4) lib/rails/rack/logger.rb:20:in `call'
  request_store (1.2.0) lib/request_store/middleware.rb:8:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/request_id.rb:21:in
`call'
  rack (1.6.4) lib/rack/methodoverride.rb:22:in `call'
  rack (1.6.4) lib/rack/runtime.rb:18:in `call'
  activesupport (4.2.4)
lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
  rack (1.6.4) lib/rack/lock.rb:17:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/static.rb:116:in
`call'
  rack (1.6.4) lib/rack/sendfile.rb:113:in `call'
  railties (4.2.4) lib/rails/engine.rb:518:in `call'
  railties (4.2.4) lib/rails/application.rb:165:in `call'
  rack (1.6.4) lib/rack/content_length.rb:15:in `call'
  puma (2.9.2) lib/puma/server.rb:490:in `handle_request'
  puma (2.9.2) lib/puma/server.rb:361:in `process_client'
  puma (2.9.2) lib/puma/server.rb:254:in `block in run'
  puma (2.9.2) lib/puma/thread_pool.rb:92:in `block in spawn_thread'

Sorry to tell you, but this behavior is by design. You'll have to put it
on the same subdomain as the accessed page or use a workaround like an
API. This is actually a limitation of AJAX.

This is a restriction of the browser security model - it’s deliberately designed to restrict where AJAX requests etc can originate from to block several classes of attack.

You should look into rack-cors: https://github.com/cyu/rack-cors

to help send the appropriate preflight headers to allow this to work.

–Matt Jones

your problem it’s related with CORS.

A little recipe to solve this:

  1. install rack-cors gem. On your Gemfile:

Gemfile

gem ‘rack-cors’, :require => ‘rack/cors’

``

  1. on shell:
    bundle install

``

  1. on your application.rb:

application.rb

config.middleware.insert_before 0, “Rack::Cors” do
allow do
origins ‘*’ # on production, use the line below instead

origins ‘localhost:3001’, ‘myfabulousapp.com

resource '*', :headers => :any, :methods => [:get, :post, :delete, :put, :head]

end
end

``

maybe it will be required to send your credentials on your request (on the JS side) too.

I don’t know if you are using angular or jquery to communicate with your API, but I made this tutorial about how to integrate angular with devise, which can be useful for you (even that you aren’t using angular, some tips are on the server side):
http://www.learnwithdaniel.com/2015/10/rails-angular-authentication/