-1

I need to allow Access-Control-Allow-Origin from the following domains:

http://localhost:8080
app://MyApp

This is my current .htaccess conditions that I need set for both of the above domains:

Header Set Access-Control-Allow-Origin "http://localhost:8080"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Authorization, Accept"
Header Set Access-Control-Expose-Headers "Content-Disposition"

I already read a lot of solutions in SO on this that says to have the server read the Origin header from the client, compare it to the list of domains and then add the values if it matches. However, I am still unable to figure out how will I set my .htaccess file so it includes:

  1. 2 different domains that uses different scheme

  2. Also include Access-Control-Allow-Methods, Access-Control-Allow-Headers and Access-Control-Expose-Headers with it.

  3. I don't want to use * unless that is the only option.

Can someone help me rewrite my above .htaccess condition to include the 2 domains please.

Neel
  • 9,352
  • 23
  • 87
  • 128
  • I don’t know whether LiteSpeed supports the same range of expressions as Apache, but if it does, you could wrap this into an `` condition that checks the Origin header of the request, and then respond with Header from within that. https://httpd.apache.org/docs/2.4/expr.html#examples – CBroe Aug 28 '20 at 07:13
  • For details on how to write the Apache config, see the answer at https://stackoverflow.com/a/44600395/441757 and/or — if you’re not including authentication credentials (and also to ensure you’re handling the CORS preflight OPTIONS request) — the answer at https://stackoverflow.com/a/42558499/441757 – sideshowbarker Aug 28 '20 at 07:17
  • Why, exactly, don’t you want to just use the `*` wildcard? What specifically would you be trying to prevent by not using the `*` wildcard? Unless you’re allowing authentication credentials to be included in the request, there is no real-world problem in practice that you’d be avoiding by not just using the `*` wildcard. See the answer at https://stackoverflow.com/a/43154277/441757. – sideshowbarker Aug 28 '20 at 07:18
  • Thank you for your response @sideshowbarker. The reason I want to avoid * is because I want to allow auth credentials and in some requests the use of cookies, etc and I thought the * might have issues with it. Is there a way to add this into the htaccess itself without editing the Litespeed config file? – Neel Aug 28 '20 at 09:48
  • @sideshowbarker thank you for your comments. Your links helped me in putting together the `.htaccess` rules for my scenario. I didnt want to edit the Litespeed config file directly since it is easier to quickly edit the htaccess files rules than litespeed config. Your links gave me the idea and have added what I did as the answer. It seems to work now and hopefully my users dont have issues with this rule. – Neel Sep 02 '20 at 18:13
  • 1
    @Neel — Cheers, glad to hear you got it working – sideshowbarker Sep 02 '20 at 21:57

1 Answers1

0

This is how I added Multiple Domains with different Scheme along with a check on origin to send back Access-Control-Allow-Origin and other headers with it based on the request origin. I did not want to edit the LiteSpeed config file directly. The following rules in my .htaccess seems to work:

<IfModule mod_headers.c>
    SetEnvIf Origin "(http(s)?://localhost:8080)|(app://MyApp)|(app://myapp)$" AccessControlAllowOrigin=$0
    Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    Header add Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
    Header add Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Authorization, Accept"
    Header add Access-Control-Expose-Headers "Content-Disposition"
    Header merge Vary Origin
</IfModule>
Neel
  • 9,352
  • 23
  • 87
  • 128