FGRibreau · May 26, 2020 11:06
diff --git a/cors-nginx.conf b/cors-nginx.conf

 #
 # Slightly tighter CORS config for nginx
 #
 # A modification of https://gist.github.com/1064640/ to include a white-list of URLs
 #
 # Despite the W3C guidance suggesting that a list of origins can be passed as part of
 # Access-Control-Allow-Origin headers, several browsers (well, at least Firefox) 
 # don't seem to play nicely with this.
 #
 # To avoid the use of 'Access-Control-Allow-Origin: *', use a simple-ish whitelisting 
 # method to control access instead.
 #
 # NB: This relies on the use of the 'Origin' HTTP Header.

 # Fork by @FGRibreau - 2018-07-16
 # - match all sub-domain
 # - `add_header` with `always` param to specify CORS headers even in 5xx & 4xx responses

 location / {

    # will be interpreted as a case-insensitive regular expression match.
    if ($http_origin ~ ^(.*)\.domain-name\.tld) {
     set $cors "true";
    }

   # Nginx doesn't support nested If statements. This is where things get slightly nasty.
   # Determine the HTTP request method used

   if ($request_method = 'OPTIONS') {
       set $cors "${cors}options";  
   }
   if ($request_method = 'GET') {
       set $cors "${cors}get";  
   }
   if ($request_method = 'POST') {
       set $cors "${cors}post";
   }

   if ($cors = "true") {
       # Catch all incase there's a request method we're not dealing with properly
       add_header 'Access-Control-Allow-Origin' "$http_origin" always;
   }

   if ($cors = "trueget") {
       add_header 'Access-Control-Allow-Origin' "$http_origin" always;
       add_header 'Access-Control-Allow-Credentials' 'true' always;
       add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
       add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
   }

   if ($cors = "trueoptions") {
       add_header 'Access-Control-Allow-Origin' "$http_origin" always;

       #
       # Om nom nom cookies
       #

       add_header 'Access-Control-Allow-Credentials' 'true' always;
       add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
       
       #
       # Custom headers and headers various browsers *should* be OK with but aren't
       #

       add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
       
       #
       # Tell client that this pre-flight info is valid for 20 days
       #

       add_header 'Access-Control-Max-Age' 1728000 always;
       add_header 'Content-Type' 'text/plain charset=UTF-8' always;
       add_header 'Content-Length' 0 always;
       return 204;
   }

   if ($cors = "truepost") {
       add_header 'Access-Control-Allow-Origin' "$http_origin" always;
       add_header 'Access-Control-Allow-Credentials' 'true' always;
       add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
       add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
   }

 }

	#
	# Slightly tighter CORS config for nginx
	#
	# A modification of https://gist.github.com/1064640/ to include a white-list of URLs
	#
	# Despite the W3C guidance suggesting that a list of origins can be passed as part of
	# Access-Control-Allow-Origin headers, several browsers (well, at least Firefox)
	# don't seem to play nicely with this.
	#
	# To avoid the use of 'Access-Control-Allow-Origin: *', use a simple-ish whitelisting
	# method to control access instead.
	#
	# NB: This relies on the use of the 'Origin' HTTP Header.

	# Fork by @FGRibreau - 2018-07-16
	# - match all sub-domain
	# - `add_header` with `always` param to specify CORS headers even in 5xx & 4xx responses

	location / {

	# will be interpreted as a case-insensitive regular expression match.
	if ($http_origin ~ ^(.*)\.domain-name\.tld) {
	set $cors "true";
	}

	# Nginx doesn't support nested If statements. This is where things get slightly nasty.
	# Determine the HTTP request method used

	if ($request_method = 'OPTIONS') {
	set $cors "${cors}options";
	}
	if ($request_method = 'GET') {
	set $cors "${cors}get";
	}
	if ($request_method = 'POST') {
	set $cors "${cors}post";
	}

	if ($cors = "true") {
	# Catch all incase there's a request method we're not dealing with properly
	add_header 'Access-Control-Allow-Origin' "$http_origin" always;
	}

	if ($cors = "trueget") {
	add_header 'Access-Control-Allow-Origin' "$http_origin" always;
	add_header 'Access-Control-Allow-Credentials' 'true' always;
	add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
	add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
	}

	if ($cors = "trueoptions") {
	add_header 'Access-Control-Allow-Origin' "$http_origin" always;

	#
	# Om nom nom cookies
	#

	add_header 'Access-Control-Allow-Credentials' 'true' always;
	add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;

	#
	# Custom headers and headers various browsers should be OK with but aren't
	#

	add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;

	#
	# Tell client that this pre-flight info is valid for 20 days
	#

	add_header 'Access-Control-Max-Age' 1728000 always;
	add_header 'Content-Type' 'text/plain charset=UTF-8' always;
	add_header 'Content-Length' 0 always;
	return 204;
	}

	if ($cors = "truepost") {
	add_header 'Access-Control-Allow-Origin' "$http_origin" always;
	add_header 'Access-Control-Allow-Credentials' 'true' always;
	add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
	add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
	}

	}