[Solved] Setting CORS (cross-origin resource sharing)

Discussion in 'Apache Migration/Compatibility' started by John C, Mar 19, 2018.

  1. John C

    John C Member

    Hi,
    Was hoping someone could help us setting up a rule in .htaccess for CORS policy for Access-Control-Allow-Origin.
    We found a bunch of posts on StackOverflow relating to this, all with the same general proposed solution.
    We implemented the accepted solution trying a variety of variations .... but none seemed to work.
    None of those posters appeared to be running LiteSpeed, so we're not sure if that's the issue and there's something we need to do slightly differently. We're running LS Enterprise 5.2.5 (build 2).

    Here's the rule....
    Code:
    SetEnvIf Origin "^http(s)?://(.+\.)?(domain1\.com|domain2\.com|domain3\.com)$" origin_is=$0
    Header always append Access-Control-Allow-Origin %{origin_is}e env=origin_is
    We have 3 domains all pointing to the same IP and directory where the .htaccess is located.
    Code:
    curl -I domain1
    curl -I domain2
    curl -I domain3
    If we remove the SetEnvIf line and just use:
    Code:
    Header always append Access-Control-Allow-Origin domain1
    ... it works just fine. It appears to be something with the syntax of the SetEndif line that LiteSpeed does not like.
    Please note: I used domain1,2,3 for posting purposes due to privacy reasons ... the rule on the server is using the actual domain names.

    Any help is much appreciated. Been fighting with this one for hours.

    Thanks.

    John
     
    Last edited by a moderator: Mar 20, 2018
  2. John C

    John C Member

    Anyone on the LiteSpeed staff care to comment on this?
    We have about 7 servers running LiteSpeed and will undoubtedly be running into the same issue when we try implementing this for other clients.
    Any guidance is greatly appreciated. Thanks.

    John
     
  3. John C

    John C Member

    Well, after much persistence, I was able to figure this out.
    The following format worked:
    Code:
    SetEnvIf Host ^(www\.)?domain1\.com$ CORDS_ENV=https://www.domain1.com
    SetEnvIf Host ^(www\.)?domain2\.com$ CORDS_ENV=https://www.domain2.com
    SetEnvIf Host ^(www\.)?domain3\.com$ CORDS_ENV=https://www.domain3.com
    Header always append Access-Control-Allow-Origin %{CORDS_ENV}e env=CORDS_ENV
    Credit to Fabian Schmengler on
    Code:
    https://stackoverflow.com/questions/10727720/conditional-setenv-in-htaccess
    for the SetEnvIf Host recommendation. I hope this helps someone else.

    John
     
    Last edited by a moderator: Mar 22, 2018
  4. John C

    John C Member

    Small tweak ... had to change "Header always append" to "Header set" to avoid a header injection vulnerability.

    Code:
    SetEnvIf Host ^(www\.)?domain1\.com$ CORDS_ENV=https://www.domain1.com
    SetEnvIf Host ^(www\.)?domain2\.com$ CORDS_ENV=https://www.domain2.com
    SetEnvIf Host ^(www\.)?domain3\.com$ CORDS_ENV=https://www.domain3.com
    Header set Access-Control-Allow-Origin %{CORDS_ENV}e env=CORDS_ENV
     
    Last edited by a moderator: Mar 22, 2018
    Michael A likes this.

Share This Page