Last active
June 11, 2024 19:51
-
-
Save derekclee/a19ebfd7d22679c82fda to your computer and use it in GitHub Desktop.
Varnish Cache Set CORS headers
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sub vcl_deliver { | |
| if (req.url ~ "/fonts/") { | |
| set resp.http.Access-Control-Allow-Origin = "*"; | |
| set resp.http.Access-Control-Allow-Methods = "GET, OPTIONS"; | |
| set resp.http.Access-Control-Allow-Headers = "Origin, Accept, Content-Type, X-Requested-With, X-CSRF-Token"; | |
| } | |
| } |
That error isn't related to the request coming from a WebSocket (WebSockets and SOP/CORS is another topic). The error is being reported by the browser because the CORS spec says all credentialed CORS reqeusts (i.e. those that include cookies) must specify an origin value in Access-Control-Allow-Origin -- wildcards are not allowed.
Very Useful! Thank You!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This seems not work for websocket. (Http works as expected)
The websocket traffic got:
The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.