Setting Access-Control-Allow-Origin in .htaccess for Https protocol
Solution 1
I had to create a .php so that I request the file through request.php?f=main.jpg instead of requesting it directly like domain.com/main.jpg
It's a little ugly work around but it works. Of course I had to add the header Access-Control-Allow-Origin like this. That way I don't need to specify that header in .htaccess file.
if (isset($_SERVER['HTTP_ORIGIN']) && strpos($_SERVER['HTTP_ORIGIN'],'safedomain') !== false) {
header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Max-Age: 86400'); // cache for 1 day
}
// Access-Control headers are received during OPTIONS requests
if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']))
header("Access-Control-Allow-Methods: GET, POST, OPTIONS");
if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']))
header("Access-Control-Allow-Headers: {$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}");
exit(0);
}
Solution 2
Without the complete .htaccess I don't exactly know but when more processing is done within Apache adding the condition always
might be needed:
Header always set Access-Control-Allow-Origin "*"
The manual explains it as follows:
When your action is a function of an existing header, you may need to specify a condition of always, depending on which internal table the original header was set in.
The table that corresponds to always is used for locally generated error responses as well as successful responses. Note also that repeating this directive with both conditions makes sense in some scenarios because always is not a superset of onsuccess with respect to existing headers:
You're adding a header to a locally generated non-success (non-2xx) response, such as a redirect, in which case only the table corresponding to always is used in the ultimate response.
You're modifying or removing a header generated by a CGI script, in which case the CGI scripts are in the table corresponding to always and not in the default table.
You're modifying or removing a header generated by some piece of the server but that header is not being found by the default onsuccess condition.
Related videos on Youtube
Abdalla
Updated on September 18, 2022Comments
-
Abdalla over 1 year
I have a site with http and https. I set in the .htaccess the following line which runs for http.
Header set Access-Control-Allow-Origin "*"
But with https I get this error.
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://dl.dropboxusercontent.com' is therefore not allowed access.
I tried the following with no luck.
Header set Access-Control-Allow-Origin "*" env=HTTPS
Any way to set Access-Control-Allow-Origin header for https in .htaccess?
Here is my complete .htaccess
<IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> <IfModule mod_headers.c> Header always set Access-Control-Allow-Origin "*" </IfModule>
Here is my virtual host settings
<VirtualHost *:443> ServerAdmin admin@localhost DocumentRoot /var/www/html/domain ServerName domain.com SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile "/etc/pki/tls/private/domain.crt" SSLCertificateKeyFile "/etc/pki/tls/private/domain.key" SSLCACertificateFile "/etc/pki/tls/private/domain.ca-bundle.crt" <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 ErrorLog logs/domain-error_log CustomLog logs/domain-access_log common <Directory "/var/www/html/domain"> AllowOverride All </Directory> </VirtualHost>
Any solution?
-
HBruijn almost 9 yearsAnd changing the order of directives ?
-
Abdalla almost 9 yearsI am sorry, but I am not sure what do you mean. @HBruijn
-
Abdalla almost 9 yearsI added virtual host settings and complete .htaccess file.
-
HBruijn almost 9 yearsAdd the Header directive to the top of your configuration, Apache parses directives in order so sometimes the setting one before the other leads to unexpected results.
-
Abdalla almost 9 yearsI put the <IfModule mod_headers.c> in the top, but still no luck.