Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
CORS policy blocks login popup on sub domains #5656
Access to XMLHttpRequest at 'https://www.site.tld/forums/index.php?action=login' from origin 'https://support.site.tld' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I suggested a fix for this in #5654 for Cron.php via just a hard code because of the complexity of this. However this occurs in the main SMF application. This will also affect other implantations where CORS takes effect due to sub domains.
My suggestion here is we add a feature (YUP!) to allow CORS for Any (*), Referral sub-domain detection (*.site.tld), Referral Multiple domain handling, and disabled (don't see the header).
I believe this should be a blocker issue for release, as this will impact sites needing to specify a CORS header.
Steps to reproduce
See #5654 for how we fixed Cron.php
At work we "solved" the issue using apache to change the header if the request comes from the same domain:
Of course this will mean SMF will have to have a way to change its .htaccess whenever $scripturl changes.
I can see adding a simple toggle to allow CORS from all subdomains when requests are sent via SSI.php, but anything beyond that would get too complex very quickly.
Checking whether a request is from a subdomain of the same domain that SMF is running on should be simple enough.
We should add a securityHeaders() type function to our template_header() call. This function would take are of all the headers such as cors, frame options, etc. Also make it expandable easily as more security headers are coming down. There is even more headers than what we have implanted already or discussed in the pipeline.