antisaWiki

User Tools

Site Tools

Trace:
wiki:allowing_cors_requests

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
wiki:allowing_cors_requests [2024/10/10 14:51] – created antisawiki:allowing_cors_requests [2024/10/14 14:42] (current) – [nginx] add info about Set-Cookie antisa
Line 5: Line 5:
  
 For [[https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests|simple requests]] like GET allowing headers should work fine, but for [[https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#preflighted_requests|preflighted requests]] you need to first respond with **2xx** status code to a preflight request, indicated by the **OPTIONS** method and then set the headers again. For [[https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests|simple requests]] like GET allowing headers should work fine, but for [[https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#preflighted_requests|preflighted requests]] you need to first respond with **2xx** status code to a preflight request, indicated by the **OPTIONS** method and then set the headers again.
 +
 +Example of preflighted request not receiving 2xx response
 +{{ :wiki:screenshots:2024:cors.png |}}
  
 Below is a config for preflighted and simple requests which will allow requests (e.g. from fetch function in browser console) from **example.org** domain to the domain **example.com** Below is a config for preflighted and simple requests which will allow requests (e.g. from fetch function in browser console) from **example.org** domain to the domain **example.com**
Line 24: Line 27:
 ... ...
 if ($request_method = 'OPTIONS') { if ($request_method = 'OPTIONS') {
-add_header 'X-preflighted' 'true'; +  add_header 'X-preflighted' 'true'; 
-add_header 'Access-Control-Allow-Credentials' 'true'; +  add_header 'Access-Control-Allow-Originexample.org always
-add_header 'Access-Control-Allow-Methods' 'OPTIONS'; +  add_header 'Access-Control-Allow-Credentials' 'true'; 
-add_header 'Access-Control-Allow-Headers' '*'; +  add_header 'Access-Control-Allow-Headers' 'Origin, Content-Type, Accept, Authorization'; 
-add_header 'Access-Control-Allow-Originexample.org always+  add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS'; 
-      return 204; +  return 204; 
-   }+}
  
-add_header 'Access-Control-Allow-Credentials' 'true'; 
-add_header 'Access-Control-Allow-Methods' '*'; 
-add_header 'Access-Control-Allow-Headers' '*'; 
 add_header 'Access-Control-Allow-Origin' example.org always; add_header 'Access-Control-Allow-Origin' example.org always;
 +add_header 'Access-Control-Allow-Credentials' 'true';
 +add_header 'Access-Control-Allow-Headers' 'Origin, Content-Type, Accept, Authorization';
 +add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
 +
  
 ... ...
Line 42: Line 46:
         proxy_http_version 1.1;         proxy_http_version 1.1;
         proxy_set_header Connection "";         proxy_set_header Connection "";
 +        
 +        # Ensure cookies and headers pass correctly
 +        proxy_pass_request_headers on;
 +        proxy_set_header Cookie $http_cookie;
     }     }
 } }
 </code>  </code> 
 +
 +<WRAP center round tip 60%>
 +If you are also setting a cookie, remember that it can only be set from the same domain i.e. if there's an app running under app.example.org and it sends ''Set-Cookie yummy=fe.example.com'', this won't work. You will get an error like ''Cookie “yummy” has been rejected for invalid domain.''
 +</WRAP>
  
 ====== Tested on ====== ====== Tested on ======
wiki/allowing_cors_requests.1728571890.txt.gz · Last modified: 2024/10/10 14:51 by antisa
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki