CORS error, htaccess fix?

pkromer
pkromer used Ask the Experts™
on
We are getting a CORS error when trying to run and API request from one of our subdomains to another. I saw an htaccess fix...

<ifmodule mod_headers.c="">
   SetEnvIf Origin "^(.*\.MyDomain\.com)$" ORIGIN_SUB_DOMAIN=$1
   Header set Access-Control-Allow-Origin "%{ORIGIN_SUB_DOMAIN}e" env=ORIGIN_SUB_DOMAIN
   Header set Access-Control-Allow-Methods: "*"
   Header set Access-Control-Allow-Headers: "Origin, X-Requested-With, Content-Type, Accept, Authorization"
</ifmodule>

I added that to the htaccess file of where the API request was going *to*, but we still get the error. Does it need to go in the htaccess of the site the request is coming *from*? Or both? In other words, does the htaccess stuff need to live where the request originates or where the request is processed? Or both?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Anthony GarciaDevops Staff

Commented:
The cors rules should be on the server that is processing the requests.
In the example you posted above you replaced "MyDomain\.com" with your own domain right?  It might also be that an OPTIONS request is being sent, but not responded to. Header set Access-Control-Allow-Methods: "*" takes care of allowing OPTIONS requests, but you need to have a way to respond to them.

You can add something like this.
<ifmodule mod_headers.c="">
   SetEnvIf Origin "^(.*\.MyDomain\.com)$" ORIGIN_SUB_DOMAIN=$1
   Header set Access-Control-Allow-Origin "%{ORIGIN_SUB_DOMAIN}e" env=ORIGIN_SUB_DOMAIN
   Header set Access-Control-Allow-Methods: "*"
   Header set Access-Control-Allow-Headers: "Origin, X-Requested-With, Content-Type, Accept, Authorization"
   # Respond to OPTIONS request with a 200
   RewriteEngine On
   RewriteCond %{REQUEST_METHOD} OPTIONS
   RewriteRule .* / [R=200,L]
</ifmodule>

Open in new window


If you want to test that your rules are being applied correctly you can use curl.
curl -H "Origin: http://MyDomain.com" --verbose \
  https://www.Your-Domain.com/api...

Open in new window



Replace the domains with your own domains and api calls. Look at the -H flag for curl which lets you set  a header in your request to set the origin.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Keep in mind CORS is only enforced by browsers, which means scraping without browser is possible.

You might open another questions describing assets (files) you're targeting to protect + ask about how to protect all assets using hotlinking protection.

Author

Commented:
I havent tried anything else yet but wanted to show you first the error Im getting... the attached screenshots show the CORS error (two shots because screen wouldnt get taller) and what I have in the htaccess file on the server where the "access to xmlhttprequest at <domain> is happening.
error first parterror second parthtaccess
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
btw, the domain shown in htaccess is indeed a four part domain, like one.two.three.domain.com
Fractional CTO
Distinguished Expert 2018
Commented:
https://enable-cors.org/server_apache.html provides a good starting point.

Once an origin header is returned correctly for all accessing domains, then you can tighten your ACL.

Tip: Always start with the simple case first.

Tip: Use Anthony's curl test approach. The only way to know what's occurring is to debug the server side. The messages you're providing is browser side... which isn't really useful for problem determination + resolution.

Note: For best answers post your actual host serving your Origin header.

Author

Commented:
Im sorry, I dont understand. Are you saying I need to get me web host involved to debug? Are you also saying that what I have in the htaccess at the destination server isnt correct?

Author

Commented:
I dont have errors anymore, just warnings, see attached screenshot. I did this by adding:

Header set Access-Control-Allow-Origin "*"

Now I need to lock it down more so its not wide open, but I think Im getting closer.
warnings

Author

Commented:
Ok, this is done. I made the htaccess entry:

Header set Access-Control-Allow-Origin "https://name.another.again.domain.com"

Of course using our real domain, and it works fine. Thanks all.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
You're welcome!

Glad you got this working!

Author

Commented:
Thanks David.

Just FYI for anyone else, to get rid of the final two warnings about DevTools, I had to add this to the htaccess of the origin server:

### Server sourcemaps as javascript
AddHandler application/javascript .map
AddType application/javascript .map

Now there are no errors, no warnings :-)
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Thanks for the update!

Likely this will help someone in the future.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial