cors_controller.rb

#app/controllers/guest_sessions_controller.rb:

  # Show HTTP OPTIONS for XHR2 / CORS requests
  def options
    render :nothing => true, :status => 204
    response.headers['Access-Control-Allow-Origin'] = '*'
    response.headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, OPTIONS'
    response.headers['Access-Control-Allow-Credentials'] = 'true'
    response.headers['Access-Control-Max-Age'] = '86400' # 24 hours
    response.headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept'
  end

  # Note: These headers must also be added to the actual GET / POST / PUT / DELETE responses 
  # as well or else the browser may report a failure where there was in fact a success.


  # Create a session for non-logged in users which may be merged on login or remain anonymous, one-time use.
  def create
    #TODO how to handle this in the case of internationalization
    # I chose not to put this in the db layer because this is shared with the user class
    guest = Guest.new({:display_name=>'Guest'})
    guest.save
    guest_session = GuestSession.new(guest)
    # sanitize the outbound hash now to keep it dry when we add xml and html support in addition to json
    hash = {:display_name => guest.display_name, :single_access_token => guest.single_access_token}
    respond_to do |format|
      # This works for client ACCEPT headers as well as .:format.
      format.json { render :json => hash, :callback => params[:callback] }
    end
  end

  # Log out
  def destroy
    #TODO if the guest didn't leave an e-mail, delete the guest (regarding as spam)
    current_guest_session.destroy
    message = {:message => "Logout successful!", :errors => []}
    respond_to do |format|
      format.json { render :json => message, :callback => params[:callback] }
    end
  end