server.conf: https://dpaste.org/6Zgn
This is Apache's config in OpenServer.
Problem:
As far as I understand, it has somethins with Access-Control-Allow-Origin
I wrote:
Header set Access-Control-Allow-Origin "*"
It has not helped. I have either written to a wrong place of rsomething.
Could you help me?
this is because the server is blocking the frontend to make requests.
I faced the same error for a long time
The only possible solution for this situation is to allow the host from the server-side.
Whichever backend you are using, search for a way to somehow allow the domain host from there.
for eg, for PHP
<?php
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
header('Access-Control-Allow-Origin: *');
die();
}
// some other code
?>
more resource: Cross-Origin Request Headers(CORS) with PHP headers
Related
I want to remove a cache-control header from URL's with a specific query params. e.g. when the query paramater ajax=1 is present.
e.g
www.domain.com?p=3&scroll=1&ajax=1&scroll=1
These are getting cached by chrome browsers for longer than I would like and I would like to stop that in this specific case. I have tried with .htaccess which works for static files however not in action on the URL's mentioned above.
RewriteEngine on
RewriteCond %{QUERY_STRING} (^|&)ajax=1(&|$)
Header unset "Cache-Control"
I could use a cache buster in the next website release but difficult in production and worried it would unnecessarily cache lots of files in user browsers so would rather achieve server side.
My server has Cloudflare then NGINX terminating SSL to Varnish then Apache with a Magento 2 instance running on there. So thinking i could possibly achieve this with NGINX or Varnish configs, or even Cloudflare. I however couldn't seem to find a way to achieve this with page rules in Cloudflare, or could not find examples for Varnish or Nginx.
I'm assuming you don't want to cache when ajax=1 is part of your URL params?
You can do this in Varnish using the following VCL snippet:
sub vcl_backend_response {
if(bereq.url ~ "\?([^&]*&)*ajax=1(&[^&]*)*$") {
set beresp.http.cache-control = "private, no-cache, no-store";
set beresp.uncacheable = true;
}
}
This snippet will make sure Varnish doesn't cache responses where the URL contains an ajax=1 URL parameter. It will also make sure any caching proxy that sits in front will not cache, because of the Cache-Control: private, no-cache, no-store.
Is this what you're looking for?
I've tried to fetch data from Wordpress API in Vue App.
I am using DigitalOcean with Apache.
I've set Header set Access-Control-Allow-Origin "*" in vhost.
But now I've got an error like this:
Access to XMLHttpRequest at xxx from origin 'http://localhost:3000' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values 'http://localhost:3000, *', but only one is allowed.
I am using axios for requests.
Do you have any ideas what's going on?
Is it server side issue or should I set something in axios config?
Thanks.
This is a server-side issue. You need to enable CORS in your apache config, by either:
Setting Header set Access-Control-Allow-Origin "*" - meaning that all origins are allowed to make requests to this server
Setting Header set Access-Control-Allow-Origin "http://localhost:3000"
This tells the server to accept requests from this origin(s), to further explain.
https://enable-cors.org/server_apache.html
Change your header set statement to:
Header always set Access-Control-Allow-Origin "*"
Otherwise Apache will prepend origin in request to the header, which causes the issue.
My website is running under HTTPS protocol and I use only 1 cookie (PHPSESSID). My server is Apache 2.2.22. I noticed that my cookie doesn't have the "HttpOnly" and "Secure" headers, then I tried to set it via my .htaccess :
Header set Set-Cookie HttpOnly;Secure
By the way, the .htaccess works perfectly (url rewriting, deflate, expire headers, Etags etc...). But now... my website generates 4 cookies and PHPSESSID seems not to be secure :
Am i missing something ?
.htaccess is the wrong way to go about this.
PHP has session configuration options for this, you can either set them in your PHP configuration in the usual way (php.ini, ini_set, …), or via a dedicated function call.
session.cookie_httponly and session.cookie_secure are the relevant options here.
See http://php.net/manual/en/session.configuration.php and http://php.net/manual/en/function.session-set-cookie-params.php for additional details.
I have a Laravel app, which was hosted on Apache, but now has been migrated on nginx. I'm a totally newbie with nginx.
On Apache I had this in my htaccess :
<IfModule mod_headers.c>
<FilesMatch "\.(svg|ttf|otf|eot|woff|woff2)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
The new hosting provider does not allow custom nginx configuration.
Is it possible to add a Cors header (Access-Control-Allow-Origin: *) for static font files (extensions : svg|ttf|otf|eot|woff|woff2) in the Laravel app PHP code ? I tried (Adding Access-Control-Allow-Origin header response in Laravel 5.3 Passport) without success, my guess is that static files are not targeted by that piece of code. Do you confirm ?
Is there a way to achieve this within my app's PHP code ?
thanks
Use this in you server block or nginx.conf to apply globally.
location ~* \.(svg|ttf|otf|eot|woff|woff2)$ {
add_header Access-Control-Allow-Origin *;
}
Make sure to restart nginx server for changes to take effect.
Suddenly, seemingly without changing anything in my web app, I started getting CORS errors when opening it in Chrome. I tried adding an Access-Control-Allow-Origin: * header. Then I get this error:
XMLHttpRequest cannot load http://localhost:9091/sockjs-node/info?t= 1449187563637. A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'http://localhost:3010' is therefore not allowed access.
But as you can see in the following image, there is no Access-Control-Allow-Credentials header.
WTF? Chrome bug?
My page is loaded at http://localhost:3010 and that server also uses Access-Control-Allow-Origin: * without problems. Is there a problem if the two endpoints both use it?
"credentials flag" refers to XMLHttpRequest.withCredentials of the request being made, not to an Access-Control-Allow-Credentials header. That was the source of my confusion.
If the request's withCredentials is true, Access-Control-Allow-Origin: * can't be used, even if there is no Access-Control-Allow-Credentials header.
Requests withCredentials:true, on a server configured with Access-Control-Allow-Origin: * CAN be used, but you will need some more extra config on your server:
Using Access-Control-Allow-Origin=* on the server, it will not allow access to any resource (that requires credentials) on any xhr CORS request.
Workarounds:
Make that remote resource on the server accesible without credentials
( and use xhr.withCredentials = false )
Create a rewrite rule on
the server, to modify the response header
Access-Control-Allow-Origin=* to the request's origin. You can
also apply this rewrite under certain criteria, for example, if
request is using certain port or it comes from a list of whitelisted
domains.
Here is some article that explains how to do this on a IIS server, but you can do this in many other servers:
PS: in case of using credentials, you will also need the following header on your server's response: Access-Control-Allow-Credentials=true
PS2: only 1 value is allowed to "access-control-allow-origin" paramenter. If you try to use for instance two domains: domain1.com domain2.com, it won't work.
I solved same problem by using these steps..
1) disable your chrome extension "Allow-Control-Allow-Origin"
2) add these into your service
var xhr = new ();
xhr.withCredentials = true;