-
-
Save brianlmoon/2291111c5c69252c85f4 to your computer and use it in GitHub Desktop.
| # Sets CORS headers for request from example1.com and example2.com pages | |
| # for both SSL and non-SSL | |
| SetEnvIf Origin "^https?://[^/]*(example1|example2)\.com$" ORIGIN=$0 | |
| Header set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN | |
| Header set Access-Control-Allow-Credentials "true" env=ORIGIN | |
| # Always set Vary: Origin when it's possible you may send CORS headers | |
| Header merge Vary Origin |
It doesnt work for me...Am I doing smth wrong? Here is what I have in httpd.conf file:
# Sets CORS headers for request from example1.com and example2.com pages
# for both SSL and non-SSL
SetEnvIf Origin "^https?://[^/]*(example1|subdomain.example2)\.com$" ORIGIN=$0
Header set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN
Header set Access-Control-Allow-Credentials "true" env=ORIGIN
# Always set Vary: Origin when it's possible you may send CORS headers
Header merge Vary Origin
And I receive the following:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://subdomain.example.com/scripts/loginFromPresta.php. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
I had to add "always" to the Header set
Header always set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN
This then sets the header, It ought to replace the header but this doe not work for me so I get multiple headers which is not permitted.
String struggling with CORS in Apache, someone needs to write the definitive mod_cors.
This was what i was looking for!
Since firefox quantum (or maybe earlier) origins set on "*" does not work for xhr -> withCredentials. Your solution is what i needed. Works with header alwats set as @teknopaul suggested.
very good / tx
question !
what is the fucntion of the "e" => ...%{ORIGIN}e... , a flag ?
- Load Modules
LoadModule headers_module modules/mod_headers.so
LoadModule rewrite_module modules/mod_rewrite.so
- Change Folder in Bold to your target directory serving the endpoint:
<Directory "**/usr/local/apache2**">
AllowOverride None
Require all granted
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
Header always set Access-Control-Expose-Headers "Content-Security-Policy, Location"
Header always set Access-Control-Max-Age "600"
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
</Directory>
Current config
<location /test>
SetEnvIf Origin ".*$" AccessControlAllowOrigin=$0
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
In New config, if i add always, Is this enough to allow all domain?
<location /test>
SetEnvIf Origin ".*$" AccessControlAllowOrigin=$0
Header always set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Could somebody advice.
Thank you
Hi guys,
this thread was really helpful,
The solution below works. The server is returning correct Access-Control-Allow-Origin header but status code of Preflight (OPTIONS method, before POST) request is still 403 (chrome)
Is there any solution for 403?
SetEnvIf Origin "^https?://[^/]*(example1|example2)\.com$" ORIGIN=$0
Header set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN
Header set Access-Control-Allow-Credentials "true" env=ORIGIN
Header merge Vary Origin
Hi,
I have not used Apache in years now. I would Google for "apache options cors". I switched to Nginx. I had to do some things in Nginx for OPTIONS headers so I am guessing Apache is the same. I am sure there is a solution. And if you find the solution, feel free to respond here with it.
Hi guys, this thread was really helpful,
The solution below works. The server is returning correct Access-Control-Allow-Origin header but status code of Preflight (OPTIONS method, before POST) request is still 403 (chrome)
Is there any solution for 403?
SetEnvIf Origin "^https?://[^/]*(example1|example2)\.com$" ORIGIN=$0 Header set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN Header set Access-Control-Allow-Credentials "true" env=ORIGIN Header merge Vary Origin
Header always set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN
Thank you. This did it.
Thanks!