Access-Control-Allow-Origin wildcard subdomains, ports and protocols

Y

Yves M.

The CORS spec is all-or-nothing. It only supports *, null or the exact protocol + domain + port: http://www.w3.org/TR/cors/#access-control-allow-origin-response-header

Your server will need to validate the origin header using the regex, and then you can echo the origin value in the Access-Control-Allow-Origin response header.

@Dexter "null" can be used in response to a "null" origin, e.g. when making a CORS request from a file:// scheme.

It's profoundly shortsighted that the CORS spec would not support the OP's exact use-case.

@aroth: Not really, the spec allows implementations to use any matching syntax they want; it would only be profoundly shortsighted for an implementation not to support this use-case. In other words, what you specify to your server is not the ACAO value, the latter is just a protocol detail. My assumption is that there is a security scenario that requires or benefits from the origin being echoed back, but a naive implementation works by just saying "OK" or not.

Update from 2015: This answer should be considered harmful, since it is incomplete and may lead to caching issues. Please see my answer below for a proper implementation (for Apache) and explanation: stackoverflow.com/a/27990162/357774 . Also, @aroth, as tne points out, the spec actually does allow the OP's exact use case: w3.org/TR/cors/#resource-implementation . And as this answer points out, it's up to the server to implement it. This can be done in 3 lines, as seen in the answer referred to above.

@Noyo - I'll clarify my original meaning then. It's profoundly shortsighted that the CORS spec does not strictly require all servers that implement CORS to provide automatic, built-in support for the OP's exact use-case. Leaving it up to each individual user to build their own shim using custom PHP code, rewrite rules, or what-have-you is a recipe for fragmentation, bugs, and disaster. Server devs should know better than that; and if they don't, the CORS spec should force them to.

S

Stephen Ostermiller

Based on DaveRandom's answer, I was also playing around and found a slightly simpler Apache solution that produces the same result (Access-Control-Allow-Origin is set to the current specific protocol + domain + port dynamically) without using any rewrite rules:

SetEnvIf Origin ^(https?://.+\.mywebsite\.example(?::\d{1,5})?)$   CORS_ALLOW_ORIGIN=$1
Header append Access-Control-Allow-Origin  %{CORS_ALLOW_ORIGIN}e   env=CORS_ALLOW_ORIGIN
Header merge  Vary "Origin"

And that's it.

Those who want to enable CORS on the parent domain (e.g. mywebsite.example) in addition to all its subdomains can simply replace the regular expression in the first line with this one:

^(https?://(?:.+\.)?mywebsite\.example(?::\d{1,5})?)$.

Note: For spec compliance and correct caching behavior, ALWAYS add the Vary: Origin response header for CORS-enabled resources, even for non-CORS requests and those from a disallowed origin (see example why).

We had almost this (not Vary Origin) and got bad behavior when visitors jumped between multiple sub domains using the same font. The font and the access-control-origin header was also cached. I have made a little change on this one: I use "Access-Control-Allow-Origin *" if the request is from one of our allowed domains. Maybe this was solved with "Vary Origin" that we didn't have before... now added that too.

Doesn't work for the principal domain 'mywebsite.com'

@pgmann, there's no need to escape the // in this context, since the Apache conf doesn't use slash-delimited regular expressions. Regexr complains because, in that context, the slashes have special meaning as delimiters.

The 'Access-Control-Allow-Origin' header contains multiple values '^(https?://(?:.+.)?aerofotea.com(?::d{1,5})?)$', but only one is allowed. Origin 'http://local.aerofotea.com' is therefore not allowed access.

Where do you place this code? .htaccess or in the apache virtual host config?

S

Stephen Ostermiller

Use @Noyo's solution instead of this one. It's simpler, clearer and likely a lot more performant under load.

ORIGINAL ANSWER LEFT HERE FOR HISTORICAL PURPOSES ONLY!!

I did some playing around with this issue and came up with this reusable .htaccess (or httpd.conf) solution that works with Apache:

<IfModule mod_rewrite.c>
<IfModule mod_headers.c>
    # Define the root domain that is allowed
    SetEnvIf Origin .+ ACCESS_CONTROL_ROOT=yourdomain.example

    # Check that the Origin: matches the defined root domain and capture it in
    # an environment var if it does
    RewriteEngine On
    RewriteCond %{ENV:ACCESS_CONTROL_ROOT} !=""
    RewriteCond %{ENV:ACCESS_CONTROL_ORIGIN} =""
    RewriteCond %{ENV:ACCESS_CONTROL_ROOT}&%{HTTP:Origin} ^([^&]+)&(https?://(?:.+?\.)?\1(?::\d{1,5})?)$
    RewriteRule .* - [E=ACCESS_CONTROL_ORIGIN:%2]

    # Set the response header to the captured value if there was a match
    Header set Access-Control-Allow-Origin %{ACCESS_CONTROL_ORIGIN}e env=ACCESS_CONTROL_ORIGIN
</IfModule>
</IfModule>

Just set the ACCESS_CONTROL_ROOT variable at the top of the block to your root domain and it will echo the Origin: request header value back to the client in the Access-Control-Allow-Origin: response header value if it matches your domain.

Note also that you can use sub.mydomain.example as the ACCESS_CONTROL_ROOT and it will limit origins to sub.mydomain.example and *.sub.mydomain.example (i.e. it doesn't have to be the domain root). The elements that are allowed to vary (protocol, port) can be controlled by modifying the URI matching portion of the regex.

S

Stephen Ostermiller

I'm answering this question, because the accepted answer can't do following

regex grouping is a performance hit, which is not necessary. cannot match primary domain and it only works for sub domain.

For example: It won't send CORS headers for http://mywebsite.example while works for http://somedomain.mywebsite.example/

SetEnvIf Origin "http(s)?://(.+\.)?mywebsite\.com(:\d{1,5})?$" CORS=$0

Header set Access-Control-Allow-Origin "%{CORS}e" env=CORS
Header merge  Vary "Origin"

To enable for your site, you just put your site in place of mywebsite.example in the above Apache Configuration.

To allow Multiple sites:

SetEnvIf Origin "http(s)?://(.+\.)?(othersite\.com|mywebsite\.example)(:\d{1,5})?$" CORS=$0

Validating After deploying:

The following curl response should have the "Access-Control-Allow-Origin" header after the change.

curl -X GET -H "Origin: http://site1.example" --verbose http://site2.example/query

D

DaveRandom

I needed a PHP-only solution, so just in case someone needs it as well. It takes an allowed input string like "*.example.com" and returns the request header server name, if the input matches.

function getCORSHeaderOrigin($allowed, $input)
{
    if ($allowed == '*') {
        return '*';
    }

    $allowed = preg_quote($allowed, '/');

    if (($wildcardPos = strpos($allowed, '*')) !== false) {
        $allowed = str_replace('*', '(.*)', $allowed);
    }

    $regexp = '/^' . $allowed . '$/';

    if (!preg_match($regexp, $input, $matches)) {
        return 'none';
    }

    return $input;
}

And here are the test cases for a phpunit data provider:

//    <description>                            <allowed>          <input>                   <expected>
array('Allow Subdomain',                       'www.example.com', 'www.example.com',        'www.example.com'),
array('Disallow wrong Subdomain',              'www.example.com', 'ws.example.com',         'none'),
array('Allow All',                             '*',               'ws.example.com',         '*'),
array('Allow Subdomain Wildcard',              '*.example.com',   'ws.example.com',         'ws.example.com'),
array('Disallow Wrong Subdomain no Wildcard',  '*.example.com',   'example.com',            'none'),
array('Allow Double Subdomain for Wildcard',   '*.example.com',   'a.b.example.com',        'a.b.example.com'),
array('Don\'t fall for incorrect position',    '*.example.com',   'a.example.com.evil.com', 'none'),
array('Allow Subdomain in the middle',         'a.*.example.com', 'a.bc.example.com',       'a.bc.example.com'),
array('Disallow wrong Subdomain',              'a.*.example.com', 'b.bc.example.com',       'none'),
array('Correctly handle dots in allowed',      'example.com',     'exampleXcom',            'none'),

+1, edited to use preg_quote() because that's the correct way to do it (even though . is the only regexp meta char valid in a DNS name, preg_quote() describes the intended operation better)

It should be clarified that none is not a semantically valid value for the header (or at least, does not do what it implies) according to the spec. As such, return null; may make more sense for that branch, and in that case no header should be sent to the client, so it should be checked for by the caller.

preg_quote() will quote the * sign and so the str_replace() for example leaves an orphaned "\".

this is useful, I spent time on CORS issue until I realised my site had "www" in the ajax, but not in the permalink structure - your solution helped me understand where the issue was and solved that for me.

R

RiZKiT

For Spring Boot I found this RegexCorsConfiguration which extends the official CorsConfiguration: https://github.com/looorent/spring-security-jwt/blob/master/src/main/java/be/looorent/security/jwt/RegexCorsConfiguration.java

S

Stephen Ostermiller

When setting Access-Control-Allow-Origin in .htaccess, only following worked:

SetEnvIf Origin "http(s)?://(.+\.)?domain\.example(:\d{1,5})?$" CRS=$0
Header always set Access-Control-Allow-Origin "%{CRS}e" env=CRS

I tried several other suggested keywords Header append, Header set, none worked as suggested in many answers on Stack Overflow, though I have no idea if these keywords are outdated or not valid for nginx.

Here is my complete solution:

SetEnvIf Origin "http(s)?://(.+\.)?domain\.example(:\d{1,5})?$" CRS=$0
Header always set Access-Control-Allow-Origin "%{CRS}e" env=CRS
Header merge Vary "Origin"

Header always set Access-Control-Allow-Methods "GET, POST"
Header always set Access-Control-Allow-Headers: *

# Cached for a day
Header always set Access-Control-Max-Age: 86400

RewriteEngine On

# Respond with 200OK for OPTIONS
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

S

Stephen Ostermiller

We were having similar issues with Font Awesome on a static "cookie-less" domain when reading fonts from the "cookie domain" (www.domain.example) and this post was our hero. See here: How can I fix the 'Missing Cross-Origin Resource Sharing (CORS) Response Header' webfont issue?

For the copy/paste-r types (and to give some props) I pieced this together from all the contributions and added it to the top of the .htaccess file of the site root:

<IfModule mod_headers.c>
 <IfModule mod_rewrite.c>
    SetEnvIf Origin "http(s)?://(.+\.)?(othersite\.example|mywebsite\.example)(:\d{1,5})?$" CORS=$0
    Header set Access-Control-Allow-Origin "%{CORS}e" env=CORS
    Header merge  Vary "Origin"
 </IfModule>
</IfModule>

Super Secure, Super Elegant. Love it: You don't have to open up your servers bandwidth to resource thieves / hot-link-er types.

S

Stephen Ostermiller

It looks like the original answer was for pre Apache 2.4. It did not work for me. Here's what I had to change to make it work in 2.4. This will work for any depth of subdomain of yourcompany.example.

SetEnvIf Host ^((?:.+\.)*yourcompany\.example?)$    CORS_ALLOW_ORIGIN=$1
Header append Access-Control-Allow-Origin  %{REQUEST_SCHEME}e://%{CORS_ALLOW_ORIGIN}e    env=CORS_ALLOW_ORIGIN
Header merge  Vary "Origin"

k

kevnk

I had to modify Lars' answer a bit, as an orphaned \ ended up in the regex, to only compare the actual host (not paying attention to the protocol or port) and I wanted to support localhost domain besides my production domain. Thus I changed the $allowed parameter to be an array.

    function getCORSHeaderOrigin($allowed, $input)
    {
        if ($allowed == '*') {
            return '*';
        }
    
        if (!is_array($allowed)) {
            $allowed = array($allowed);
        }
    
        foreach ($allowed as &$value) {
            $value = preg_quote($value, '/');
    
            if (($wildcardPos = strpos($value, '\*')) !== false) {
                $value = str_replace('\*', '(.*)', $value);
            }
        }
    
        $regexp = '/^(' . implode('|', $allowed) . ')$/';
    
        $inputHost = parse_url($input, PHP_URL_HOST);
    
        if ($inputHost === null || !preg_match($regexp, $inputHost, $matches)) {
            return 'none';
        }
    
        return $input;
    }

Usage as follows:

    if (isset($_SERVER['HTTP_ORIGIN'])) {
        header("Access-Control-Allow-Origin: " . getCORSHeaderOrigin(array("*.myproduction.com", "localhost"), $_SERVER['HTTP_ORIGIN']));
    }

k

kevnk

For me, I wanted a multi-domain option, and this is the solution I use, with python and flask,

    VALID_DOMAINS = 'https://subdomain1.example.com', 'https://subdomain2.example.com'


    def handle_request(request):
        origin = request.headers.get('Origin')
    
        if request.method == 'OPTIONS':
            if origin not in :
                return ''
    
            headers = {
                'Access-Control-Allow-Origin': origin,
                'Access-Control-Allow-Methods': 'GET',
                'Access-Control-Allow-Headers': 'Content-Type',
                'Access-Control-Max-Age': '3600',
            }
            return '', 204, headers
    
        return (
            main_function_with_logic(request),
            200,
            {'Access-Control-Allow-Origin': origin,
             ...}
        )

You can obviously expand the VALID_DOMAINS to however long you want, and whatever you want (non-https, different port, etc etc), and just check it on the request.

I prefer this solution than a wildcard solution, so this is my choice on the servers I run.

h

hosam hemaily

in my case using angular

in my HTTP interceptor , i set

with Credentials: true.

in the header of the request

Access-Control-Allow-Origin wildcard subdomains, ports and protocols

Follow WeChat

Want to stay one step ahead of the latest teleworks?

相似问题

Platform

Support

Links

Contact US