Sinatra/Thin: CSRF Warning on CORS xhr preflight request

Question

I've written a server to handle cross site JSON requests. It's an API meant to be called by ajax. I got it working, but I am still getting some strange warnings.

Since some of the API calls are POSTS, there is a preflight OPTIONS request which triggers this warning (thin output):

127.0.0.1 - - [15/Aug/2013 22:24:20] "OPTIONS /login HTTP/1.1" 200 - 0.0080
W, [2013-08-15T22:24:20.124254 #3236]  WARN -- : attack prevented by Rack::Prote
ction::HttpOrigin

Here's the preflight header for the request that causes this:

OPTIONS /login HTTP/1.1
Host: localhost:3000
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://localhost:4567
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36
Access-Control-Request-Headers: origin, content-type
Accept: */*
Referer: http://localhost:4567/index.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8

Additionally, I'd like to know what I get this warning:

SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
This poses a security threat. It is strongly recommended that you
provide a secret to prevent exploits that may be possible from crafted
cookies. This will not be supported in future versions of Rack, and
future versions will even invalidate your existing user cookies.

Here's the server code with headers that should be allowing the CORS xhr:

enable :sessions

before do

  headers['Access-Control-Allow-Origin'] = 'http://localhost:4567'
  headers['Access-Control-Allow-Headers'] = 'origin, content-type, accept'
  headers['Access-Control-Allow-Credentials'] = 'true'

  if request.request_method == 'OPTIONS'
    headers["Access-Control-Allow-Methods"] = "POST, GET"
    halt 200
  end
end

Answer 1

This is actually two related questions, I'll address them one at a time.

1. According to this SO question it looks like you need to provide an origin whitelist to Sinatra. Essentially what its trying to do is protect you from Cross Site Scripting Attacks which could harm your users. However, there are some cases when you do want to allow cross site scripting to occur. To do so you can do something like this:

   set :protection, :origin_whitelist => ['http://web.example.com']
   

   The headers only apply to the user's browser, but Rack needs permission as well. Two lines of defense. For more information, see the documentation for Rack::Protection (which is what Sinatra uses here).

2. The "secret option" error refers to a setting on Rack::Session. When you use the Rack::Session functionality you can pass it in the secret like this:

   use Rack::Session::Cookie, :key => 'rack.session',
                              :domain => 'foo.com',
                              :path => '/',
                              :expire_after => 2592000,
                              :secret => 'change_me'
   

   Do the above instead of the simple enable :sessions. You can also find the documentation for Rack::Session here.