[FEAT] Support "wildcard-like" subdomain of a given origin

[writyou]

Can you support 'cors_allowed_origins' => 'https://*.abc.com,', "*", that is, can any domain name under the domain be accessed?

[damienwebdev]

@writyou Some considerations of this behavior:

| Origin                           | Configuration    | Allowed |
| -------------------------------- | ---------------- | ------- |
| https://test.example.com         | https://.abc.com | 0       |
| https://abc.com                  | https://.abc.com | ?       |
| https://www.abc.com              | https://.abc.com | 1       |
| https://test.abc.com             | https://.abc.com | 1       |
| https://test.abc.com.example.com | https://.abc.com | 0       |
| http://test.example.com          | https://.abc.com | 0       |
| http://abc.com                   | https://.abc.com | 0       |
| http://www.abc.com               | https://.abc.com | 0       |
| http://test.abc.com              | https://.abc.com | 0       |
| http://test.abc.com.example.com  | https://.abc.com | 0       |

For the https://abc.com what would you intend?

[writyou]

A list of strings representing regexes that match Origins that are authorized to make cross-site HTTP requests. Defaults to []. Useful when CORS_ALLOWED_ORIGINS is impractical, such as when you have a large number of subdomains. Example: CORS_ALLOWED_ORIGIN_REGEXES = [ r"^https://\w+\.example\.com$", ]

My usage scenario is multi-site, multi-language, and other language sites share all resources such as the main site static;

ex: main website:https://www.enerart.com others: fr.enerart.com de.enerart.com .......

Now I have configured it in env.php, upgraded it, and cleared the cache at the same time, but other sites still report cross-domain errors, the URL is https://de.enerart.com Please help to see how this should be configured to be more secure and accessible. I think doing this saves network traffic and request speed, not sure if that is the case. grateful

[damienwebdev]

@writyou if I understand you correctly, could you use:

<?php
return [
    ...
    'system' => [
        'default' => [
            'web' => [
                'graphql' => [
                    'cors_allowed_origins' => 'https://www.enerart.com, https://de.enerart.com, https://fr.enerart.com',
                    ...
                ],
                'api_rest' => [
                    'cors_allowed_origins' => 'https://www.enerart.com, https://de.enerart.com, https://fr.enerart.com',
                   ...
                ]
            ]
        ]
    ]
    ...
];

Is this root issue that you find listing domains too tedious or that there are too many?

[writyou]

`'system' => [ 'default' => [ 'web' => [ 'graphql' => [ 'cors_allowed_origins' => 'https://www.enerart.com, https://fr.enerart.com, https://de.enerart.com, https://ru.enerart.com, https://jp.enerart.com, https://vn.enerart.com, https://kr.enerart.com, https://pl.enerart.com, https://in.enerart.com, https://hk.enerart.com, https://id.enerart.com, https://my.enerart.com, https://it.enerart.com, https://nl.enerart.com, https://pt.enerart.com, https://ar.enerart.com, https://af.enerart.com, https://th.enerart.com, https://mm.enerart.com, https://tl.enerart.com', 'cors_allowed_methods' => 'POST, OPTIONS', 'cors_allowed_headers' => 'accept,accept-encoding,authorization,content-type,dnt,origin,user-agent,x-csrftoken,x-requested-with', 'cors_max_age' => '86400', 'cors_allow_credentials' => 1 ], 'api_rest' => [ 'cors_allowed_origins' => 'https://www.enerart.com, https://fr.enerart.com, https://de.enerart.com, https://ru.enerart.com, https://jp.enerart.com, https://vn.enerart.com, https://kr.enerart.com, https://pl.enerart.com, https://in.enerart.com, https://hk.enerart.com, https://id.enerart.com, https://my.enerart.com, https://it.enerart.com, https://nl.enerart.com, https://pt.enerart.com, https://ar.enerart.com, https://af.enerart.com, https://th.enerart.com, https://mm.enerart.com, https://tl.enerart.com', 'cors_allowed_methods' => 'GET, POST, OPTIONS', 'cors_allowed_headers' => 'accept,accept-encoding,authorization,content-type,dnt,origin,user-agent,x-csrftoken,x-requested-with', 'cors_max_age' => '86400', 'cors_allow_credentials' => 1 ] ] ] ],

---

At present, the configuration is like this, but it still reports an error, and after the page is opened, the js related content clicks on the Wu effect

---

de.enerart.com/:1 Access to XMLHttpRequest at 'https://www.enerart.com/static/version1662571235/frontend/Enerart/enerart/de_DE/Magento_Ui/templates/block-loader.html' from origin 'https://de.enerart.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. text.min.js:9 GET https://www.enerart.com/static/version1662571235/frontend/Enerart/enerart/de_DE/Magento_Ui/templates/block-loader.html net::ERR_FAILED`

[writyou]

At present, it needs to be configured in nginx.conf to fully take effect. The configuration is as follows. But is this "*" insecure, and can different permissions be done entirely in env.php?

` location ~ .(ico|jpg|jpeg|png|gif|svg|svgz|webp|avif|avifs|js|css|eot|ttf|otf|woff|woff2|html|json|webmanifest)$ { add_header Cache-Control "public"; add_header X-Frame-Options "SAMEORIGIN"; add_header 'Access-Control-Allow-Origin' '' 'always'; expires +1y;

    if (!-f $request_filename) {
        rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last;
    }
    if ($request_method = 'OPTIONS') {
    add_header 'Access-Control-Allow-Origin' '*' 'always';
    add_header 'Access-Control-Allow-Headers' 'x-requested-with' 'always';
    add_header 'Access-Control-Max-Age' 86400 'always';
    add_header 'Content-Length' 0 'always';
    return 204;
    }
}`

[damienwebdev]

@writyou it looks like you're trying to add CORS to static assets (not the REST or GraphQL) apis. This is outside the scope of this package.