A week ago, I encountered a CORS error:
Access to XMLHttpRequest at [domainA/example/directory/file.xml] from origin [domainB] has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I solved this by editing .htaccess, adding:
<IfModule mod_headers.c>
<FilesMatch ".+">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
This worked! However, I am now encountering the same problem when requesting data at the same domain, at a different path (i.e. "domainA/different/example/directory/file.json").
Shouldn't I be able to request any file, in any directory, based on the edits I made to .htaccess? (located at "/.../.../www/[domainA-root]/.htaccess")
It's worth noting that in my first example, [domainA/example/directory/file.xml] is a XML view created by Drupal, and is not a static file in an actual directory.
That looks like the typical case in which your browser is caching the response of a previous OPTIONS request to specific URLs requested previously, the header was not there before and the browser won't bother to check again until the TTL expires.
I would say: check it the headers are there doing a verbose curl request from your command line, I.e.
curl -v https://yourhost/yourURL
Then you can take it from there
rather than trying .+ in filematch, you should try:
<FilesMatch "\.(htm|html|css|js|php|json)$">
AddDefaultCharset UTF-8
DefaultLanguage en-US
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "*"
</FilesMatch>
Related
I have set the page header to the public by htaccess file.
<ifModule mod_headers.c>
<filesMatch "\\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|css|js)$">
Header set Cache-Control "max-age=31536000, public"
</filesMatch>
<filesMatch "\\.(html|htm|php)$">
Header set Cache-Control "max-age=31536000, public"
</filesMatch>
</ifModule>
But still, it is showing cf-cache-status: as DYNAMIC for the static HTML page too. Please let me know if there is an additional setting at Cloudflare or the website header.
I'd recommend to review the Default Cache Behaviour documentation page which explains how the Cloudflare Cache works and how to configure it to cache (or bypass caching) different resources. To summarise:
By default only specific file extensions are cached
You can set specific Page Rules to override the default behaviour
You can also use Cloudflare Workers to achieve a customized caching result
You can also use Cache-Control headers, as long as the resource is deemed cacheable (see above)
I had some problems to set a correct cors header for using external resource in my wordpress installation. I have a subdomain which exposed by another domian name.
I've got following error by using some plugin which load resources from my website by using an ajax call:
XMLHttpRequest cannot load [resource-URL] No 'Access-Control-Allow-Origin' header
I created a .htaccess file in the root directory of my subdomain.The file content is:
Header set Access-Control-Allow-Origin "sub.site.com"
I read in many blogs that you should use
Header set Access-Control-Allow-Origin "*"
but i guess that is a bad idea.
I have three sub-domains namely, a.xyz.com, b.xyz.com, c.xyz.com. Now, I have about 20 ajax request to be made on body onload of a.xyz.com.
So, I thought of distributing 20 requests equally among the three domains above. I tried it through this piece of snippet in .htaccess of b.xyz.com and c.xyz.com. However, the request from a.xyz.com to any other sub-domain is still getting dumped.
<IfModule mod_headers.c>
<FilesMatch "\.(php)$">
Header set Access-Control-Allow-Origin: http://a.xyz.com,http://b.xyz.com,http://b.xyz.com
Header set Access-Control-Allow-Methods : POST,GET,OPTIONS
</FilesMatch>
</IfModule>
I have placed the above .htaccess file in my subdomains b.xyz.com and c.xyz.com.
So, can anyone predict whats wrong in my approach ?
Thanks !
Try this to allow cross domain on all xyz.com subdomains:
SetEnvIf Origin "http(s)?://(.+\.)?(xyz\.com)$" ORIGIN_DOMAIN=$0
<FilesMatch "\.(php)$">
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin %{ORIGIN_DOMAIN}e env=ORIGIN_DOMAIN
Header set Access-Control-Allow-Methods "POST,GET,OPTIONS"
</IfModule>
</FilesMatch>
I want to configure Apache to allow XMLHttpRequests from multiple, but not all domains.
This works:
Header set Access-Control-Allow-Origin "*"
But it's unsafe, I want to allow domains specified by me, so after a bit of googling I got to this:
Header set Access-Control-Allow-Origin "http://domain1.example http://domain2.example"
But this only picks up first domain, the second is not allowed. How to properly specify multiple domains?
you can use SetEnvIf in your .htaccess file or in in vhost file (inside "Directory" group):
<IfModule mod_headers.c>
SetEnvIfNoCase Origin "https?://(www\.)?(mydomain\.example|mydomain2\.example)(:\d+)?$" AccessControlAllowOrigin=$0
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
</IfModule>
With this code you can allow access from
mydomain.example and mydomain2.example
with or without "www." in front
with or without port number
HTTP or HTTPS
You can add multiple domains separated with | or you can use regexp to configure different subdomains or patterns.
Yes, I have searched a lot, here and there, and this is the closest I've found that I thought could actually work. But it doesn't.
<IfModule mod_headers.c>
<FilesMatch "\\.(ico|x-icon|js|css|jpg|jpeg|png|gif|swf|pdf)$">
Header unset Cookie
Header unset Set-Cookie
Header unset ETag
FileETag None
</FilesMatch>
</IfModule>
Pretty clear it should be that I am trying to cookie-free the static files served by a sub-domain, and remove the ETag header on those static files. The ETag thing works fine, but I am unable to unset the cookies.
FYI, Wordpress is installed on example.com (NOT www.example.com; www.example.com redirects to example.com), which is not cookie-free. And i.example.com serves the static files. I want to make i.example.com cookie-free. Is it at all possible to make a subdomain cookie-free when the non-www tld is not cookie-free? (I also see that it's the reason why many suggest using www.tld).
Why you remove the ETag for this files? I would suggest to set this:
FileETag MTime Size
so the browsers, proxies, etc. knows, if a cached file was changed or not.
This speeds up the site a little bit on further visits.
Maybe you set the cookies in the request header so you have to use "RequestHeader unset Cookie" like so:
<IfModule mod_headers.c>
<FilesMatch "\\.(ico|x-icon|js|css|jpg|jpeg|png|gif|swf|pdf)$">
Header set Pragma "public"
Header append Cache-Control "max-age=290304000, public"
RequestHeader unset Cookie
Header unset Cookie
Header unset Set-Cookie
</FilesMatch>
</IfModule>