I have 2 subdomains,
a.domain.com
b.domain.com
I want both of them share the same source--
domain.com/source.html
I found the two subdomains can not share same source, request headers origin can not be changed dynamaticaly, I spent hours without any solution, could you give me some instruction? following is my htaccess script
Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
index.html file in both two subdomain have totally same script
<base href='domain.com'>
<div></div>
<script>
$("div").load("source.html");
</script>
Hope I have my problem clear, thanks in advance for help.
Related
I need to allow Access-Control-Allow-Origin from the following domains:
http://localhost:8080
app://MyApp
This is my current .htaccess conditions that I need set for both of the above domains:
Header Set Access-Control-Allow-Origin "http://localhost:8080"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Authorization, Accept"
Header Set Access-Control-Expose-Headers "Content-Disposition"
I already read a lot of solutions in SO on this that says to have the server read the Origin header from the client, compare it to the list of domains and then add the values if it matches. However, I am still unable to figure out how will I set my .htaccess file so it includes:
2 different domains that uses different scheme
Also include Access-Control-Allow-Methods, Access-Control-Allow-Headers and Access-Control-Expose-Headers with it.
I don't want to use * unless that is the only option.
Can someone help me rewrite my above .htaccess condition to include the 2 domains please.
This is how I added Multiple Domains with different Scheme along with a check on origin to send back Access-Control-Allow-Origin and other headers with it based on the request origin. I did not want to edit the LiteSpeed config file directly. The following rules in my .htaccess seems to work:
<IfModule mod_headers.c>
SetEnvIf Origin "(http(s)?://localhost:8080)|(app://MyApp)|(app://myapp)$" AccessControlAllowOrigin=$0
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header add Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header add Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Authorization, Accept"
Header add Access-Control-Expose-Headers "Content-Disposition"
Header merge Vary Origin
</IfModule>
I am making a put request from safari which is giving CORS issue i.e
Failed to load resource: Method PUT is not allowed by Access-Control-Allow-Methods.
But it is working fine in chrome, you can see my response header and please help me if i am working something wrong
res.header("Access-Control-Allow-Origin", "*");
res.header("Access-Control-Allow-Methods", "*");
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With ,allow-access");
I just replace res.header("Access-Control-Allow-Methods", "*"); with res.header("Access-Control-Allow-Methods", "PUT"); and it's working fine, still have a doubt what is the problem with the '*'.
I was facing the same issue. Turns out server had Access-Control-Allow-Methods response header's value is set to *. It had to explicitly set to allow methods instead of a wildcard as it is not supported by a safari in iOS as given here in this MDN doc.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
I have web server running node server running on a server. The node server set the in the response header 'Access control' to a specific web site to allow only that website accessing the resources served by my node server:
header["Access-Control-Allow-Origin"] = "https://www.mywebsite.com";
In mywebsite.com when calls are made to get resources from the node server, the request works fine since they are coming from the authorized web site. I tested this on Chrome and FireFox. When I tried the same thing using IE10, the resources were not served ok.
When looking at the header request and response for IE 10, I noticed that the 'origin' is not filled correctly while it was filled ok using Firefox and Chrome.
Here is the Chrome header:
Chrome header values
While IE 10 header was:
Internet Explorer header values for same get request
On IE 10, the origin is filled with 'blob://'
While on Chrome and Firefox the origin web site domain is listed correctly allowing the CORS to work properly.
The resources served by the node server are mbtiles with .pbf that are binary streams.
Any idea why IE10 seems to put incorrect origin in the header request ? and may be a work around or solution for it ?
Thanks
I'm not sure if this will solve your problem but I have never had an issue using this method:
app.use((req, res, next) => {
res.header('Access-Control-Allow-Origin', 'http://www.website.com');
res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept, Authorization, Access-Control-Allow-Credentials');
res.header('Access-Control-Allow-Credentials', 'true');
next();
});
Fairly new to Node and Express. I have a sails.js app that relies on knowing the origin of a request as I need to authenticate the request is coming from a domain that is registered.
I've seen in the logs that the origin is empty occasionally, why would this be happening? Is it not a good idea to rely on the origin property, is there another option?
Thanks
The origin may be hidden if the user comes from an ssl encrypted website.
Also: Some browser extensions remove origin and referer from the http-request headers, and therefore the origin property will be empty.
You might want to create some sort of authentication token and pass it as a parameter, instead on relying on request headers. Especially since the headers can be faked/manipulated.
Try with this:
app.use(function(req, res, next) {
res.header("Access-Control-Allow-Origin", req.header('origin'));
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
res.header("Access-Control-Allow-Credentials","true");
next();
});
If you want to get the url from which your client is requesting then use
req.headers.referer can help you out. for example I want am calling an abcd.com API from xyz.com then at abcd.com the referer will print xyz.com as it is the url from which you are requesting.
Try this
var host = req.headers.host;
OR
var host = req.get('host');
I was trying to deny the access to my json files through internet because I want that my users get these files over my website and not by absolute URL in the explorer.
After many hours surfing over internet trying to find a solution, I read a lot of comments that were talking about cross-domain petitions.
Supposing we have 2 domains with 2 different ip's I protect the first server with all the json data by using an .htaccess that only allows the ip of the domain which is gonna request the json.
Then in my second domain I would do a async petition so I could get the data.
So my question is, if the second domain uses my IP or its IP address to request the first server the file and in case if it's possible to do what i've purposed in that way.
For the moment that's what I've done:
SERVER-1
.htaccess
Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
order deny,allow
deny from all
allow from 106.211.22.0/20
SERVER-2
<html>
</head>
<script type="text/javascript" src="./jquery/1.7.2.jquery.min.js"></script>
<script>
$.ajax({
type: 'POST',
url: 'http://server1.es/json/list.json',
crossDomain: true,
dataType: 'json',
success: function(responseData, textStatus, jqXHR) {
var value = responseData.someKey;
},
error: function (responseData, textStatus, errorThrown) {
alert('POST failed.');
}
});
</script>
</head>
</html>
USER-IP using the domain 2
211.122.220.125