Skip to content

Instantly share code, notes, and snippets.

@fredbradley

fredbradley/cors-policy-oddities.md

Last active June 26, 2017 14:12
Show Gist options
  • Save fredbradley/92cf6a5d416c6559b6d4a5eb01e29e6a to your computer and use it in GitHub Desktop.
Save fredbradley/92cf6a5d416c6559b6d4a5eb01e29e6a to your computer and use it in GitHub Desktop.
Download ZIP
Can you help? I have a CDN which hosts some CSS files that references some
Raw
cors-policy-oddities.md

There are seemingly two ways to allow Cross Origin domains...

OPTION ONE

My preferred way of doing it, because it locks access down to only the specified domains that I allow.

  1. Set Origin Environment
SetEnvIf Origin "http(s)?://(www\.)?(([a-z0-9-]+).domain1.org|([a-z0-9-]+).domain2.org|test.devserver.org)$" AccessControlAllowOrigin=$0
  1. Use that Environment variable to add the header dynamicially
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin

OPTION TWO

Another way of doing it, which allows all Cross Domains.

Header add Access-Control-Allow-Origin "*"

SO...

The later one seems to work with no problems. But is less secure for the reasons noted above. I want to know why the first one causes me problems? The regex seems fine. I took the idea from here: https://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains which is referenced on the W3C site.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment