Imprecision in apache related doc #88

Open
Cethy opened this Issue Dec 23, 2014 · 3 comments

Projects

None yet

3 participants

@Cethy
Cethy commented Dec 23, 2014

TL;DR : CORS directives (headers) in <VirtualHost> directly does NOT work ;

In editing my apache2 (2.4.10 but noticed on older 2.4.x) configuration, I tried to move my CORS directives from the .htaccess file to mysite.conf file.
In following the enable-cors website, I tried to put the directives directly onto <VitrualHost>, but it destroys the all server (syntax is "ok" but all requests are served with a 400 error).
After some fail & retry, i stumble upon this post which points out directives are not "matched" the same way if it's in <VirtualHost> or .htaccess.
By moving them into the <Directory> subsection of the virtual host, it works.

@monsur
Owner
monsur commented Dec 24, 2014

Thanks for point this out. Can you post a snippet of your .htaccess file so
I can get a sense of what it looks like? Thanks!

On Tue Dec 23 2014 at 9:06:14 AM Cethy notifications@github.com wrote:

TL;DR : CORS directives (headers) in directly does NOT work
;

In editing my apache2 (2.4.10 but noticed on older 2.4.x) configuration, I
tried to move my CORS directives from the .htaccess file to mysite.conf
file.
In following the enable-cors website, I tried to put the directives
directly onto , but it destroys the all server (syntax is
"ok" but all requests are served with a 400 error).
After some fail & retry, i stumble upon this post
http://tltech.com/info/rewriterule-in-htaccess-vs-httpd-conf/ which
points out directives are not "matched" the same way if it's in
or .htaccess.
By moving them into the subsection of the virtual host, it
works.


Reply to this email directly or view it on GitHub
#88.

@Cethy
Cethy commented Dec 29, 2014
    #CORS capabilities
    <IfModule mod_headers.c>
        #Piece of crap allowing different origins
        SetEnvIf Origin "http(s)?://(www|foo\.)?(mywebsite.com)$" AccessControlAllowOrigin=$0$1

        Header always add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
        Header always set Access-Control-Allow-Credentials true
        Header always set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept"
        Header always set Access-Control-Allow-Methods "GET, POST, PUT, DELETE"
    </IfModule>

    #Rewrite rules
    <IfModule mod_rewrite.c>
        RewriteEngine On

        # needed for CORS
        RewriteCond %{REQUEST_METHOD} OPTIONS
        RewriteRule ^(.*)$ $1 [R=200,L]

        # all non existing files request are redirected to ...
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteRule ^(.*)$ myscript.php [QSA,L]
    </IfModule>

Overall, besides the SetEnvIf Origin line, it's all pretty standard IMHO.

@kuldipem
kuldipem commented Jan 5, 2015

@Cethy , You have mentioned snipped is necessary to enable CORS, for pre-flight request.
and it is safe and handy to use pattern rather than * or list of white list urls.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment