Skip to content

Instantly share code, notes, and snippets.

@brianlmoon
Last active November 19, 2023 03:14
Show Gist options
  • Save brianlmoon/2291111c5c69252c85f4 to your computer and use it in GitHub Desktop.
Save brianlmoon/2291111c5c69252c85f4 to your computer and use it in GitHub Desktop.
CORS example for Apache with multiple domains
# Sets CORS headers for request from example1.com and example2.com pages
# for both SSL and non-SSL
SetEnvIf Origin "^https?://[^/]*(example1|example2)\.com$" ORIGIN=$0
Header set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN
Header set Access-Control-Allow-Credentials "true" env=ORIGIN
# Always set Vary: Origin when it's possible you may send CORS headers
Header merge Vary Origin
@skhalid555
Copy link

Current config
<location /test>
SetEnvIf Origin ".*$" AccessControlAllowOrigin=$0
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin

In New config, if i add always, Is this enough to allow all domain?
<location /test>
SetEnvIf Origin ".*$" AccessControlAllowOrigin=$0
Header always set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin

Could somebody advice.

Thank you

@lukydvorak
Copy link

lukydvorak commented Jun 15, 2022

Hi guys,
this thread was really helpful,

The solution below works. The server is returning correct Access-Control-Allow-Origin header but status code of Preflight (OPTIONS method, before POST) request is still 403 (chrome)

Is there any solution for 403?

SetEnvIf Origin "^https?://[^/]*(example1|example2)\.com$" ORIGIN=$0
Header set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN
Header set Access-Control-Allow-Credentials "true" env=ORIGIN
Header merge Vary Origin

@brianlmoon
Copy link
Author

Hi,

I have not used Apache in years now. I would Google for "apache options cors". I switched to Nginx. I had to do some things in Nginx for OPTIONS headers so I am guessing Apache is the same. I am sure there is a solution. And if you find the solution, feel free to respond here with it.

Hi guys, this thread was really helpful,

The solution below works. The server is returning correct Access-Control-Allow-Origin header but status code of Preflight (OPTIONS method, before POST) request is still 403 (chrome)

Is there any solution for 403?

SetEnvIf Origin "^https?://[^/]*(example1|example2)\.com$" ORIGIN=$0
Header set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN
Header set Access-Control-Allow-Credentials "true" env=ORIGIN
Header merge Vary Origin

@prhasn
Copy link

prhasn commented Sep 22, 2022

Header always set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN

Thank you. This did it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment