handle multiple domains with Access-Control-Allow-Origin header in Apache
I want to configure apache for cross-domain access header. I have tried multiple combination as suggested on number of threads on the forum. But its not working for me.
-
This works for me in Classic ASP:
If Request.ServerVariables("HTTP_ORIGIN") = "http://domain1.com" Then Response.AddHeader "Access-Control-Allow-Origin","http://domain1.com" ElseIf Request.ServerVariables("HTTP_ORIGIN") = "http://domain2.com" Then Response.AddHeader "Access-Control-Allow-Origin","http://domain2.com" 'and so on End If讨论(0) -
Try this one, it works for me. Apply in .htaccess:
SetEnvIf Origin "^http(s)?://(.+\.)?(domain\.org|domain2\.com)$" origin_is=$0 Header always set Access-Control-Allow-Origin %{origin_is}e env=origin_is讨论(0) -
To restrict access to certain URIs checkout these docs:
CrossOriginRequestSecurity
Server-Side Access Control#Apache_examples
One helpful trick is to use an Apache rewrite, environment variable, and headers to apply Access-Control-Allow-* to certain URIs. This is useful, for example, to constrain cross-origin requests to GET /api(.*).json requests without credentials:
RewriteRule ^/api(.*)\.json$ /api$1.json [CORS=True] Header set Access-Control-Allow-Origin "*" env=CORS Header set Access-Control-Allow-Methods "GET" env=CORS Header set Access-Control-Allow-Credentials "false" env=CORSAlso, in general, according to W3 Wiki - CORS Enabled#For_Apache To expose the header, you can add the following line inside Directory, Location, and Files sections, or within an .htaccess file.
<IfModule mod_headers.c> Header set Access-Control-Allow-Origin "*" </IfModule>AND, you can use add rather than set, but be aware that add can add the header multiple times, so it's generally safer to use set.
讨论(0) -
Unless I'm misunderstanding the manual, it should be:
Header always append Access-Control-Allow-Origin: "example1.com" Header always append Access-Control-Allow-Origin: "example2.com" Header always append Access-Control-Allow-Origin: "example3.com"The manual states that the
setandaddactions behave in the following way:set: "The response header is set, replacing any previous header with this name"
add: "...This can result in two (or more) headers having the same name. This can lead to unforeseen consequences..."
讨论(0) -
For 3 domains, in your .htaccess:
<IfModule mod_headers.c> SetEnvIf Origin "http(s)?://(www\.)?(domain1.org|domain2.com|domain3.net)$" AccessControlAllowOrigin=$0$1 Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin Header set Access-Control-Allow-Credentials true </IfModule>I've tried this and it works for me. Let me know if it doesn't for you.
讨论(0) -
Will be work 100%, Apply in .htaccess:
# Enable cross domain access control SetEnvIf Origin "^http(s)?://(.+\.)?(domain1\.com|domain2\.org|domain3\.net)$" REQUEST_ORIGIN=$0 Header always set Access-Control-Allow-Origin %{REQUEST_ORIGIN}e env=REQUEST_ORIGIN Header always set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" Header always set Access-Control-Allow-Headers "x-test-header, Origin, X-Requested-With, Content-Type, Accept" # Force to request 200 for options RewriteEngine On RewriteCond %{REQUEST_METHOD} OPTIONS RewriteRule .* / [R=200,L]讨论(0)
加载中...
- 热议问题