I'm new to CORS and have learnt that the OPTIONS preflight request sent by the browser excludes user credentials. How do I get the filter (in httpd.conf) to respond to OPTIONS requests differently, i.e bypassing the authentication ?
This is my current configuration :
<LocationMatch /api>
SetEnvIfNoCase Origin "https://(www\.)?(domain1\.com|domain2\.com)(:\d+)?$" AccessControlAllowOrigin=$0
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials "true"
Header set Access-Control-Allow-Methods "GET,POST,DELETE,OPTIONS"
Header set Access-Control-Allow-Headers "Accept, Authorization, Origin, Content-Type"
AuthFormProvider ldap
AuthLDAPURL "ldap://localhost:10889/ou=Users,dc=work,dc=com?uid"
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN on
Require valid-user
ErrorDocument 401 /login.html
ErrorDocument 500 /error.html
AuthType form
AuthName realm
Session On
SessionMaxAge 1800
SessionDBDCookieName session path=/
ProxyPass http://localhost:8080 timeout=31536000
AuthFormFakeBasicAuth On
</LocationMatch>
And the javascript which makes the request :
$.ajax({
type : "DELETE",
url : "https://www.domain1.com/api",
xhrFields: {
withCredentials: true,
},
success : function(data){
},
});
I've tried the follwoing but with no luck :
(a)
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L,E=HTTP_ORIGIN:%{HTTP:ORIGIN}]
(b)
<Limit OPTIONS>
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Credentials "false"
Header always set Access-Control-Allow-Headers "Accept, Authorization, Origin, Content-Type"
Header always set Access-Control-Allow-Methods "GET,POST,DELETE,OPTIONS,PUT"
</Limit>
(c)
<Limit OPTIONS>
Allow for all
</Limit>
(d)
SetEnvIfNoCase Request_Method OPTIONS allowed
Any idea ? Please help !
I had the same issue which I solved today with the help of this question. Basically your option c.
My conf structure is:
conf/httpd.conf <- normal stuff
conf.d/ssl.conf <- set up ssl stuff
conf.d/api.conf <- set specific stuff to api like Auth
/var/www/.htaccess <- set specific stuff to api again
This allows for limiting everything except for OPTIONS
/conf.d/api.conf
file:
<Directory "/var/www/api">
AllowOverride All
Options FollowSymLinks
<LimitExcept OPTIONS>
Auth stuff here
Mainly your Require statements
</LimitExcept>
</Directory>
Then in my .htaccess
file I set the headers.
The Apache manual in the require directive states "Access controls which are applied in this way are effective for all methods. This is what is normally desired. If you wish to apply access controls only to specific methods, while leaving other methods unprotected, then place the Require statement into a <Limit>
[or <LimitExcept>
] section."
I had to make sure my application could handle OPTIONS as this setup is not doing an automatic return. Here or here one can see how to redirect which may work instead of having something in the application handle it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With