I'm trying to set Access-Control-Allow-Origin header to all but cannot use wildcard since it's not allowed with allow credentials.
So my solution is to set origin header to whatever the domain is, something like:
Header set Access-Control-Allow-Origin "%{HTTP_REFERER}e"
but that includes URI as well.
I can I strip uri form HTTP_REFERER so i get https://www.example.com ?
Many thanks
Try this:
SetEnvIf Origin ".+" ACAO=$0
Header set Access-Control-Allow-Origin "%{ACAO}e"
Related
I am sorting out a website that will be getting pen-tested soon, we've have been asked to add the X-Frame-Options header to our server configuration. When adding the following header it gives me an error message in the console.log where we are using iframes
-- nginx header --
add_header 'X-Frame-Options' "SAMEORIGIN";
-- Error --
`Refused to display 'https://api.domain.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
Obviously I understand the security reasons for this header but our website has an iframe that we simply cannot change & it is on a different domain e.g oldapp.domain.com rather than api.domain.com.
I would have used the ALLOW-FROM uri directive to allow from this other domain, but this directive is no longer recommended, is there an alternative to ALLOW-FROM uri that will enable me to simply add a domain that can be allowed to display iframe content?
For all browsers except some older ones (like IE) you should use Content-Security-Policy with the frame-ancestors directive instead. With CSP frame-ancestors you can use wildcards *.domain.com or multiple sources "oldapp.domain.com api.domain.com www.domain.com".
X-Frame-Options ALLOW-FROM only accepts one uri, you will likely have to dynamically set the uri from a list of allowed hostnames based on the incoming request. Alternatively you can set the value to SAMEORIGIN if you don't need to fully support IE and other outdated browsers as X-Frame-Options will be disregarded if CSP frame-ancestors is present.
Suppose I have a web application at origin.com. When I browse origin.com it request cross-site data from datafeed.origin.com. I have following written in .htaccess of datafeed.origin.com Header set Access-Control-Allow-Origin origin.com. Everything works perfectly till this point.
What I need is protect datafeed.origin.com. How can I prevent this domain from browsing directly from browser or any other application. Only allow access when cross referencing from origin.com.
You can specify the origin when setting the Access-Control-Allow-Origin header:
Access-Control-Allow-Origin: <origin>[, <origin>]*
Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
Looking at your post it looks like you've done this, so cross origin requests should fail from other domains
I'm trying to allow calls made to "/api/whateverEndpoint", while keeping CORS strict for all other calls.
I've come across this link Whitelisted CORS using Apache which gives the solution for origin filtering:
# e.g. origin = https://host-b.local
SetEnvIfNoCase Origin "https://host-b.local" AccessControlAllowOrigin=$0
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
But i need to adapt this to filter based on the request uri.
Any idea is greatly appreciated
So you just need to set a variable based on a match against Request_URI, then use that; like this:
SetEnvIf Request_URI "^/api/whateverEndpoint" IsAllowedEndpoint
Header set Access-Control-Allow-Origin "*" env=IsAllowedEndpoint
I have created many WordPress sites and there is something I was never able to fix.
When you have two domains for the same website (such as www.example.com and www.example.fr) only one shows correctly and the alternative doesn't show it's images.
I guess this is a common problem that might happen to a lot of you. Any idea to help me fix it ?
First, check that both WordPress Address (URL) and Site Address (URL) are set properly in
wp-admin/ >> Settings >> General
If that is not the case, see the error messages in the console:
(index):1 Font from origin 'http://draidel.com' has been blocked from
loading by Cross-Origin Resource Sharing policy: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://draidel.com.ar' is therefore not allowed
access.
You can resolve this by adding the following to you .htaccess
Header add Access-Control-Allow-Origin "draidel.com"
You may need to change the permissions of .htaccess as WordPress loves to change it randomly.
So I am using the following rule in the htaccess:
AddType SCHM wsc
<FilesMatch "\.(wsc)$">
ForceType SCHM
Header set Content-Disposition attachment
</FilesMatch>
But when I go to the file's location it doesn't force the download
Since the question is already answered in the comments, this is just to provide an answer in the way how Stackoverflow designated it.
Like in the question it can be solved by using mod_headers of Apache 2. Since Content-Disposition is not part of the standard of HTTP, you may add some other header to achieve your objective.
<FilesMatch "\.(wsc)$">
Header set Content-Type application/octet-stream
Header set Content-Disposition attachment
</FilesMatch>
Another thing you should consider is that your browser may cache the responce of the server. The browser will still send the request, but the request will contain a node that the browser already have the file from a given date. If the files hasn't changed since the given date, the server will not send the new headers to your browser. This means if you change the .htaccess, you may not see any impact until you disable caching in your browser or you change the timestamps of the file.
You can also add
Header set X-Content-Type-Options "nosniff"
for better compatiblity (and maybe security). It prevents the browser from doing MIME-type sniffing, which would ignore the declared content-type. See here for more information.
RFC2616 say for 19.5.1 Content-Disposition
If this header is used in a response with the application/octet- stream content-type, the implied suggestion is that the user agent should not display the response, but directly enter a `save response as...' dialog.
http://www.w3.org/Protocols/rfc2616/rfc2616-sec19.html#sec19.5.1