Genda1ph
commented
9 years ago First-off: location / doesn't always work due to location precedence. So, a slightly better option would be to use map directive, something like map $http_origin $cors { default ""; "https?://domain.tld" "1"; }
and then use IF directive to set appropriate CORS policy
As for methods - it's quite easy, using map map $request_method $cors_method { default "GET, POST"; "OPTIONS" "GET, POST, OPTIONS"; }
I haven't read the document yet, but I'm trying to write a config that would work from conf.d, so I won't have to bother setting it up for every site, unless absolutely necessary.
sicking
Using the "Wide Open" configs for nginx produced errors for some clients. After digging w/ @jcarbaugh we found that the w3c recommends a different standard of flow control. Specifically if
ORIGINheader was not set you are to terminate and not set any of theCORSheaders.Not just that but the configs also set headers like
Access-Control-Allow-MethodsandAccess-Control-Allow-HeadersforGETandPOSTrequests when they should only be set on theOPTIONSrequests (aka "preflight" requests).Finally the w3c bullet point 3 in section 6.1 thats that:
which the configs also explicitly set with
add_header 'Access-Control-Allow-Credentials' 'true'expect a PR very soon.
--timball