Created
November 29, 2016 22:46
-
-
Save mkoistinen/2d8509b0b0be45ed76fed95f89b8596d to your computer and use it in GitHub Desktop.
How to use allow subdomains with CORS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Basically, since we can't use '*' as a wildcard according to the CORS spec, we need to use | |
| # Nginx to conditionally apply it to the "right" subdomains. This should allow all subdomains | |
| # of `yourtld.tld`. | |
| location ~* ^.+\.(ttf|oft|eot|woff|svg)$ { | |
| # | |
| # NOTE: CORS standards allow a specific protocol/host combination, | |
| # 'null', or '*' only. So, wildcard subdomains won't work. | |
| # | |
| # Have a look here: | |
| # http://enable-cors.org/server_nginx.html | |
| # | |
| if ($http_origin ~* (https?://[^/]*\.yourtld.tld(:[0-9]+)?)$) { | |
| add_header 'Access-Control-Allow-Origin' "${http_origin}"; | |
| } | |
| } |
Some how this is my #2 in google results for cors subdomain. @aijanai there is a known issue open for that specific sentence, the issue explains the problem: monsur/enable-cors.org#108
Access-Control-Allow-Origin: * defeats the purpose of CORS, which is to prevent XSS.
@u2mejc not really, as you would return * only for whitelisted domains.
If you have Access-Control-Allow-Credentials=true, you cannot provide a wildcard for the Access-Control-Allow-Origin. So this is a good use case to allow subdomains access.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I don't get this: on the enable-cors.org website it says, verbatim: