Firefox does not allow cross domain fonts it seems. In order to serve fonts from a domain other than the web page, the font files need to be served with a Access-Control-Allow-Origin header. I am currently acheiving this via NGINX like this.
location ~* .(ttf|woff|eot|otf)$ {
add_header Access-Control-Allow-Origin *;
expires 8d;
}
This is working perfectly, however I was wanting to know what the proper value(s) for the header would be, if I did not want to use *. Would be the subdomain I'm using for the CDN? The domain for the site? How would I specify multiple values?
It needs to be the doamin(s) from where you are requesting the resources.
Let's say you use the font for domain http://example.com then add Access-Control-Allow-Origin: http://example.com. You can space-separate multiple origins.
In some browsers multiple domains cause issues. In that case you can programmatically read the Origin header of the response, check it against some whitelist and respond with the same value in Access-Control-Allow-Origin header. IMO, the latter would be the best practice.
Additional Note
The value of the Access-Control-Allow-Origin header need to consist of scheme (e.g. http), domain (e.g. example.com) and port (only if it is not a default port).
W3C Spec
Related
I do not want any cross domain calls to my domain. In such scenario,
1) Is Same-Origin a valid value for the header Access Ccontrol Allow Origin ?
2) If yes, is this value from security point of view ?
3) If no, should I hardcode it to mydomain.com
If you don't want any cross-domain requests, just don't send any CORS response headers in the response - it's that easy.
Specific answers, if you do want to allow some domains (e.g. ones that you control) to allow cross-domain requests:
1) Is Same-Origin a valid value for the header Access-Control-Allow-Origin?
No, the only valid values for the Access-Control-Allow-Origin (aka 'ACAO') header are Access-Control-Allow-Origin: * (allow any requesting domain) or Access-Control-Allow-Origin: scheme://domain[:port] which exactly matches the value of the Origin request header. Basically, you either return an asterisk, or just 'mirror back' the value of the Origin request header.
2) If yes, is this value from security point of view ?
If the question is "Is a value of Access-Control-Allow-Origin: * secure?", the answer is that it depends entirely on your setup. Do you need to pass auth info (cookies, Authentication header etc.)? What are you trying to do? "Security" isn't really the right word here. Passing a value of * means that a request from any domain can retrieve your asset or make a call to your API. Is that a problem?
3) If no, should I hardcode it to mydomain.com
If you do so, you must include the scheme (and port, if it's not either 80 (for HTTP) or 443 (for HTTPS)).
If in doubt, do this (pseudo-code):
if (Origin header matches "*.mydomain.com" or Origin header matches "*://mydomain.com") {
addheader("Access-Control-Allow-Origin:" + [Origin header])
{
It depends on your application architecture .
Suppose you are developing a system where your web application resides on different server with different domain and your service application (REST API's) resides on different server with different domain.
Then only allowing same origin only will not work. You will need to make cross domain calls from the web application.
So taking such decisions will vary according to your project architecture.
If you are sure about domain which will access that resource or REST API then you can restrict to the specific domain you want.
I've taken over a site that previously used HSTS, but because of some iframes I need to embed, I need to disable it. I'm able to intelligently redirect from one protocol to the other, but Safari, in particular, doesn't want to disregard its HSTS cache.
In this question (Is it possible to ask your users to clear their HTTP Strict Transport Security (HSTS) for your site?) and on other sites, I've seen that I can request browsers to remove my site from their HSTS cache by sending the following header:
Strict-Transport-Security: max-age=0
However, Safari doesn't seem to care about that. On a coworker's computer, which has the site in its HSTS cache, receiving that header is not preventing it from automatically redirecting to https.
Anyone know a way to tell Safari to disregard HSTS?
It could be set on the top level domain.
So if you are looking at www.example.com then maybe the policy has been published from example.com with includeSubDomains option so it affects all subdomains (including www subdomain).
If so the answer is similar. Publish this header from the base domain and make sure you visit the base domain (even if it just redirects to main domain).
Strict-Transport-Security: max-age=0; includeSubDomains
Also check the preload lists for the base domain.
Would also be worth looking through web config and any scripts or dynamic parts of the website (e.g. PHP, Java Servlets... Etc.) to make sure something is not still setting this when you visit a certain page for example.
Do I have to return a HTTP Strict Transport Security header for all resources (stylesheets, scripts, images) loaded with my documents? or is it enough to include them for the documents only?
The security hint should be applied per-domain, so just sending it with the documents should be enough to inform the browser to only fetch resources over HTTPS? Or have I misunderstood how it is supposed to work?
Anyone only accessing my site’s resources directly are not really an audience I want to cater specifically for anyway.
Turns out it should be enough to send the header for documents.
If a UA receives HTTP responses from a Known HSTS Host over a secure channel but the responses are missing the STS header field, the UA MUST continue to treat the host as a Known HSTS Host until the max-age value for the knowledge of that Known HSTS Host is reached.
https://www.rfc-editor.org/rfc/rfc6797#section-8.6
Hoping clients have implemented the RFC correctly.
Update: Here is the Apache configuration I used. I unset it for resources instead of setting it for documents specifically to make sure the header is used in redirects and other pages generated by Apache.
# Enable HSTS for all responses, but disable for common resources
Header always set Strict-Transport-Security "max-age=324000; includeSubDomains"
<FilesMatch "\.(css|gif|ico|jpeg|jpg|js|png|woff)$">
Header unset Strict-Transport-Security
</FilesMatch>
Shaves off 64 bytes from each resource’s response headers.
Hi I am making an Ajax call cross domains but on the same machine. In apache I have created a virtual host and setup ProxyPass and ProxyPassReverse.
when I make my ajax call in ie It works but on all subsequent calls it returns the same value, even though I know this value has changed.
In chrome I get the error Origin
http://myip is not allowed by Access-Control-Allow-Origin.
Do I still have some configuration in apache to do or do I need to change something in the browser??
thanks for any thoughts
There is a technique called Cross-origin resource sharing (CORS). Basically you need to spacify a special HTTP haeder to allow cross domain access:
Access-Control-Allow-Origin: http://www.example.com
If you have installed the mod_headers you can try to add this line to your htaccess file or server configuration:
Header add Access-Control-Allow-Origin "http://www.example.com"
If you want to allow general access from all domains like for public API allow all domains with the asterisk:
Header add Access-Control-Allow-Origin "*"
I'm making a website based on my API is implemented on the server. API supports ETag, If-Modified-Since. The website is written using BackBone.js. When I use the methods of collection (fetch) to retrieve data from the server, backbone operates without cache-control. How can I set the appropriate headers (etag, etc.) in the query data?
It really depends on your server as that's where the cache headers are set and the browser just obeys them. Most people use Apache or Nginx. For Nginx I like to cache static media for example:
location ~* ^.+\.(jpg|jpeg|gif|png|ico|eot|ttf|woff) {
root /var/www/html/mysite.com;
expires 90d;
}
Note that for any webserver you can get granular with your caching from the path down to the file extension of the request. Google and you will find how to set it for apache.