search

monsur / enable-cors.org

Advocacy for CORS
http://enable-cors.org/
212 stars 99 forks source link

Basic Auth + CORS = Hell #105

Closed indolering closed 9 years ago

indolering commented 9 years ago

I recently tried to create an Apache 2.2 config that would allow credentialed requests. It turns out there are some issues with browsers sending credentials with a preflight request, so I came up with the following requirements:

The following should work for Apache 2.2+

<IfModule mod_headers.c>
  #Workaround for Apache 2.2 not supporting If/then logic.  Prevents setting broken headers when client request does not pass in origin header but mirrors domain when origin is passed in.

  SetEnvIfNoCase ORIGIN ".+" ORIGINVAR=$0 #Origin has 1 or more characters
  SetEnvIfNoCase ORIGIN "^$" ORIGINVAR="*" #Origin has 0 characters.
  Header always set Access-Control-Allow-Origin %{ORIGINVAR}e

  SetEnvIfNoCase ORIGIN ".+" CREDS=true #adding quotes will break things in the browser.
  SetEnvIfNoCase ORIGIN "^$" CREDS=false
  Header always set Access-Control-Allow-Credentials %{CREDS}e

  Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
  Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token, HTTP_X_HTTP_METHOD_OVERRIDE, X-AUTH_COMBINED"

  # Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request.
  RewriteEngine On
  RewriteCond %{REQUEST_METHOD} OPTIONS
  RewriteRule ^(.*)$ $1 [R=200,L]
</IfModule>

However, I cannot get Firefox to send a cross domain Ajax request with basic auth. It just refuses to send a preflight. I will try again without jQuery, but I don't understand why jQuery would cause issues and I consider jQuery support a requirement.

Any advice?

monsur commented 9 years ago

You may have better luck asking this question on Stack Overflow. This issue board is for the site itself.

indolering commented 9 years ago

FWIW, the problem went away when it was deployed in the field. This probably has to do with Apache's basic auth protection of directories.