Differences

This shows you the differences between two versions of the page.

--- wiki:allowing_cors_requests [2024/10/11 07:52] – [Allowing CORS requests] add scrot of error antisa
+++ wiki:allowing_cors_requests [2024/10/14 14:42] (current) – [nginx] add info about Set-Cookie antisa
@@ Line 27: / Line 27: @@
 ...
 if ($request_method = 'OPTIONS') {
-add_header 'X-preflighted' 'true';
+  add_header 'X-preflighted' 'true';
-add_header 'Access-Control-Allow-Credentials' 'true';
+  add_header 'Access-Control-Allow-Origin' example.org always;
-add_header 'Access-Control-Allow-Methods' 'OPTIONS';
+  add_header 'Access-Control-Allow-Credentials' 'true';
-add_header 'Access-Control-Allow-Headers' '*';
+  add_header 'Access-Control-Allow-Headers' 'Origin, Content-Type, Accept, Authorization';
-add_header 'Access-Control-Allow-Origin' example.org always;
+  add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
-      return 204;
+  return 204;
-   }
+}
-add_header 'Access-Control-Allow-Credentials' 'true';
-add_header 'Access-Control-Allow-Methods' '*';
-add_header 'Access-Control-Allow-Headers' '*';
 add_header 'Access-Control-Allow-Origin' example.org always;
+add_header 'Access-Control-Allow-Credentials' 'true';
+add_header 'Access-Control-Allow-Headers' 'Origin, Content-Type, Accept, Authorization';
+add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
 ...
@@ Line 45: / Line 46: @@
         proxy_http_version 1.1;
         proxy_set_header Connection "";
+        # Ensure cookies and headers pass correctly
+        proxy_pass_request_headers on;
+        proxy_set_header Cookie $http_cookie;
     }
 }
 </code>
+<WRAP center round tip 60%>
+If you are also setting a cookie, remember that it can only be set from the same domain i.e. if there's an app running under app.example.org and it sends ''Set-Cookie yummy=fe.example.com'', this won't work. You will get an error like ''Cookie “yummy” has been rejected for invalid domain.''
+</WRAP>
 ====== Tested on ======