Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

serve the way w3c sez to do it #103

Open
wants to merge 3 commits into
base: gh-pages
Choose a base branch
from
Open

serve the way w3c sez to do it #103

wants to merge 3 commits into from

Conversation

timball
Copy link

@timball timball commented Jun 9, 2015

The previous version of the nginx configs did not follow the recommendations of the w3c and as a result some clients would balk at the headers being served. This PR fixes issue #102.

--timball

monsur
monsur reviewed Jun 10, 2015
View reviewed changes
server_nginx.html
if ($cors = OP) {
add_header 'Access-Control-Allow-Origin' $http_origin;
# these are only needed on OPTIONS
add_header 'Access-Control-Allow-Credentials' 'true'; # techically only needed if doing credentials
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment on line 35 makes it seem like Access-Control-Allow-Credentials are only required on OPTIONS requests, but it is needed on both the preflight and the actual request (if it is used).

@monsur monsur mentioned this pull request Jun 10, 2015
Open
@timball
Copy link
Author

timball commented Jun 10, 2015

feedback taken. code adjusted.

--timball

@timball
Copy link
Author

timball commented Jun 23, 2015

pull code ?

@monsur
Copy link
Owner

monsur commented Jun 23, 2015

Sorry I'm traveling these past two weeks. I'll try to get to this by the
end of this week.

On Mon, Jun 22, 2015 at 10:17 PM timball [email protected] wrote:

pull code ?


Reply to this email directly or view it on GitHub
#103 (comment)
.

@gurland
Copy link

gurland commented Apr 1, 2021

So what is the current status of permissive CORS setup for nginx, @monsur? I skimmed through all suggestion for past 6 years and this is what I found:

  1. add_header always parameter needed
  2. Change Access-Control-Allow-Origin to $http_origin in order to support cross-origin authentication through Access-Control-Allow-Credentials: true header
  3. Get rid of ifs inside location blocks (https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/)?
  4. Optionally add instructions for alternative way using ngx_headers_more module
  5. Add warnings why this wide-open CORS configuration is dangerous

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@timball @monsur @gurland