I have a webpage on the domain https://imeet.pgi.com making an XMLHttpRequest to another domain. The request fails with the following console error (using Chrome browser):
XMLHttpRequest cannot load
https://pgidrive.com/eloqua/forminator/getForm.php. The
'Access-Control-Allow-Origin' header has a value
'https://imeet.pgi.coms' that is not equal to the supplied origin.
Origin 'https://imeet.pgi.com' is therefore not allowed access.
Note that the Access-Control-Allow Origin header has a value of:
https://imeet.pgi.coms with an "s" on the end.
Why does my Access-Control-Allow-Origin header have this incorrect value?
If it could be a typo somewhere, where would I look to check?
More background info: I have made this same request successfully from other domains with no issue. I have set a list of allowed origin domains that includes imeet.pgi.com on the .htaccess file on pgidrive.com.
Also, the code for the allowed origin domains in my .htaccess:
<IfModule mod_headers.c>
SetEnvIf Origin "http(s)?://(www\.)?(agenday.com|imeet.pgi.com|pgi.com|go.pgi.com|staging.pgi.com|imeetlive.pgi.com|globalmeet.pgi.com|latam.pgi.com|br.pgi.com|pgi.ca)$" AccessControlAllowOrigin=$0$1
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials true
</IfModule>
In your htaccess file, when doing the following:
SetEnvIf Origin "http(s)?://(www\.)?(agenday.com|imeet.pgi.com|pgi.com|go.pgi.com|staging.pgi.com|imeetlive.pgi.com|globalmeet.pgi.com|latam.pgi.com|br.pgi.com|pgi.ca)$" AccessControlAllowOrigin=$0$1
you have AccessControlAllowOrigin=$0$1. Here, $0 means the whole matched string, and $1 means the first matched group. The first matched group here is (s)?.
When you make a request using the origin: https://imeet.pgi.com, the pattern is parsed and grouped as follows:
$0 = `https://imeet.pgi.com`
$1 = `s`
$3 = `imeet.pgi.com`
which is why you see the s character.
Change that to (basically, remove the $1):
SetEnvIf Origin "https?://(?:(?:agenday|(?:(?:imeet|go|staging|imeetlive|globalmeet|latam|br)\.)?pgi)\.com|pgi\.ca)$" AccessControlAllowOrigin=$0
Related
In my location / directive I have added the following if statement to redirect all requests with the .html extension to the non-extension url:
if ($request_uri ~ ^/(.*)\.html) {
return 301 /$1$is_args$args;
}
This works fine, but actual .html files are also being redirected which results in a 404. I want to avoid this by adding an exception for all requests if the the url contains the directory "/static/", but I am not sure how to do that. I tried to add the following if statement before the if statement above:
if ($request_uri ~ /static/) {
}
But I'm not sure what to put in it to stop it from executing the .html if statement. Return $host$request_uri doesn't work, unfortunately.
How would I be able to do this? I cannot use location directives due to limitations of my host. Everything is being done in in the location / directive.
I am hosting a website with multiple subdomains from S3 buckets through Cloudfront.
When I go to www.domain.com/subdomain/ (note: with trailing slash), the website loads correctly and fetches the minified .js and .css files from www.domain.com/subdomain/****.js.
However if I navigate to www.domain.com/subdomain without the trailing slash, the site's index.html is still served but the assets attempt to be fetched from www.domain.com/****.js.
I have tried to use a lamba#edge function to change the request uri and append the slash however that is not working. Thanks for any help!
This will be caused by the html referencing relative file paths (i.e. src="****.js" vs src="/subdomain/****.js").
If you are looking to fix this, you will need to perform a redirect to the slash path in the users browser. This can be done by using a Lambda#Edge function to perform the redirect in the Origin Response event.
An example redirect function is below
def lambda_handler(event, context):
# Generate HTTP redirect response with 302 status code and Location header.
response = {
'status': '302',
'statusDescription': 'Found',
'headers': {
'location': [{
'key': 'Location',
'value': 'http://docs.aws.amazon.com/lambda/latest/dg/lambda-edge.html'
}]
}
}
return response
For this you would need to add your custom logic to check if the URL needs to be redirected by checking for a "/" character as the last character of the request.
Additionally if you can change the path of your css, js and images from being relative to being absolute as pointed out at the top of this answer.
I am using nginx as a proxy server to send the requests to backend pool members .
I have a header -- Content-Type: multipart/form-data; boundary="21ad608c-8e00-4c0c-8a06-5ed1280e9532"
The boundary value in the header changes all the time.
How can I do a header check for only "Content-Type: multipart/form-data;" value and route the requests to the backend. when I do a print of $http_content_type value , everything including boundary value is getting printed . I am not able to do an if check on just " Content-Type: multipart/form-data; " value .
Can I put a wild card in the nginx config like -- "multipart/form-data; * " to pass the if loop ?
Please let me know.
An Nginx wildcard? Yes, sort of, via a regex:
if ($http_content_type !~ '^multipart/form-data;') deny-the-request
This means that the Content-Type must start with multipart/form-data;. After that, any boundary=...whatever... is allowed.
Complete example:
location /-/upload-public-file {
limit_except POST OPTIONS {
deny all;
}
if ($http_content_type !~ '^multipart/form-data;') {
return 406; # status code Not acceptable
}
Ok, so my new problem in Elixir is that I can't set the explicit domain while creating cookies.
In this case:
HTTPoison.get("httpbin.org/cookies", [{"User-agent", #userAgent}], hackney: [
cookie: "cookie1=1 cookie2=2"] ) do
When I create a cookie it will store a domain like .httpbin.org but for dummy reason I need to set domain value like httpbin.org (without previous dot) .
I tried also with:
HTTPoison.get("httpbin.org/cookies", [{"User-agent", #userAgent}], hackney: [
cookie: "cookie1=1 domain=httpbin.org cookie2=2"] ) do
But of course the syntax expects domain as a cookie name and httpbin.org as a cookie value.
Thank you!
What's the reason you want to remove the dot in the beginning? It's optional and it should match the entire domain with/without the dot.
How do browser cookie domains work?
Also, I think the domain attribute would be for the Set-Cookie header returned from HTTP server rather than requesting from the client. The httpbin (https://httpbin.org/cookies/set) returns the Set-Cookie header, but it doesn't specify domain attribute (just Path=/). It would be taken as .httpbin.org by clients like browsers.
iex(25)> response = HTTPoison.get!("https://httpbin.org/cookies/set?k2=v2&k1=v1")
%HTTPoison.Response{body: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\n<title>Redirecting...</title>\n<h1>Redirecting...</h1>\n<p>You should be redirected automatically to target URL: /cookies. If not click the link.",
headers: [{"Server", "nginx"}, {"Date", "Fri, 18 Dec 2015 23:49:46 GMT"},
{"Content-Type", "text/html; charset=utf-8"}, {"Content-Length", "223"},
{"Connection", "keep-alive"}, {"Location", "/cookies"},
{"Set-Cookie", "k2=v2; Path=/"}, {"Set-Cookie", "k1=v1; Path=/"},
{"Access-Control-Allow-Origin", "*"},
{"Access-Control-Allow-Credentials", "true"}], status_code: 302}
iex(26)> :hackney.cookies(response.headers)
[{"k1", [{"k1", "v1"}, {"Path", "/"}]}, {"k2", [{"k2", "v2"}, {"Path", "/"}]}]
Sorry if I'm missing the point.
<FilesMatch "\.(json|txt)$" >
SetEnvIf Origin "http(s)?://(www\.)?(sub.domain.com|sub2.domain.com|www.domain2.com)$" AccessControlAllowOrigin=$0$1
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials true
Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept"
</FilesMatch>
If I use middle block on it's own (without FilesMatch) then it works and i can make my request. If I test my FilesMatch by putting Deny from all inside it then it clearly works as well. But put both of them together and I can't make the request. It seems to go thrum, but without credentials and throws out Access-Control-Allow-Origin warning.
Try to put your \. inside the brackets
<FilesMatch "(?<!\.json|\.txt)$">
Try to enclose your expression as string, like "%{AccessControlAllowOrigin}e"
<FilesMatch "(?<!\.json|\.txt)$" >
SetEnvIf Origin "http(s)?://(www\.)?(sub.domain.com|sub2.domain.com|www.domain2.com)$" AccessControlAllowOrigin=$0$1
Header add Access-Control-Allow-Origin "%{AccessControlAllowOrigin}e" env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials true
Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept"
</FilesMatch>