07:58 <FromGitter> <AndyRosenberg> Can someone show me an example of how to initialize the CORS pipe? I have tried using the default object, and I've also tried passing in an array with strings and regex of accepted headers. I even deployed a dummy app to prod just to see if my local env happened to be blocking me. Nothing has worked. ⏎ ⏎ I'd really like to be able to use this to call my own API safely without requiring authentication. I've

07:58 <FromGitter> ... seen other suggestions to create an Auth pipe, but that's not exactly what I'm looking for. ⏎ ⏎ After looking through the code, it seems like the initialization `Amber::Pipe::CORS.new(["*", /.*/])` should allow all origins (for testing) but this doesn't even work. I'd love to see a working example of this if someone ha ... [https://gitter.im/amberframework/amber?at=5e12e89b14328863c01bfe5b]

10:23 <FromGitter> <damianham> @AndyRosenberg looking at the code for the CORS pipe it might be that your request headers need to have an 'Origin' or 'X-Origin' header. The test for that precedes the test for all origins so the request will not match and thus be forbidden.

15:18 <FromGitter> <drujensen> @AndyRosenberg @damianham is correct. You need to provide an `Origin` header. According to the spec the `Origin` field is required. However, you can set it to `null`. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin

15:21 <FromGitter> <AndyRosenberg> @damianham @drujensen For my example AJAX request, setting X-Origin manually seems to do the trick, but also seems a little counterintuitive. Maybe combining this with the CSRF pipe would keep everything honest.

15:25 <FromGitter> <andrewc910> I am going through rails source code and I can't figure out how they do it. How does rails invoke "render" when no render is given however, doesn't invoke render if we manually put it in?

15:26 <FromGitter> <andrewc910> I don't like the pesky renders in Amber. Tbh, I typically forget to put them and my controller leads me to a blank white page and then I remember hahah

16:44 <FromGitter> <drujensen> @AndyRosenberg I usually use CSRF tokens for traditional req/resp forms and use CORS for ajax requests. Of course, you can try and implement CSRF tokens in an AJAX request but it becomes difficult when the tokens change per request. Also you can try to implement CORS with form posts but setting headers is more difficult with traditional form posts.

16:51 <FromGitter> <drujensen> @andrewc910 the `render` helper method is using a shard called `Kilt` that supports rendering templates. It is rendered in scope of your method so any local variables defined are available in the template. the helper looks for a LAYOUT and will generate the `content` ivar that get’s injected in the layout. You can see the code here: https://github.com/amberframework/ambe

16:51 <FromGitter> ... r/blob/master/src/amber/controller/helpers/render.cr#L34

16:53 <FromGitter> <drujensen> the Kilt shard supports 10 different templating languages out of the box. You can read more about it here: https://github.com/jeromegn/kilt

16:54 <FromGitter> <drujensen> For example, you could use Jbuilder or liquid templates if you prefer.

16:57 <FromGitter> <drujensen> Just remember to include the language shard. We currently include the `slang` shard and ECR is apart of the standard library.

17:35 <FromGitter> <andrewc910> @drujensen yeah I get that. I already looked at the Amber source code. I might of explained it wrong. Tldr: I'm looking at removing those renders in the controller. One idea I had is to go into Amber source and pass the controller method into the router as a block. The end of this method could invoke "render". However, I want to look at the rails source to see how they do it. I was having trouble finding it but I

17:35 <FromGitter> ... think I just found it!