Best IT Recipes

Access-Control-Allow-Origin header set in .htaccess not working

I cannot understand why my .htaccess header settings do not work.

My .htaccess file contents:

 Header set Access-Control-Allow-Origin * Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT" Header always set Access-Control-Allow-Headers "*" RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(.*)$ index.php [QSA,L]

But when I remove Header and add them to index.php , then everything works fine.

 header("Access-Control-Allow-Origin: *"); header("Access-Control-Allow-Methods: PUT, GET, POST, DELETE, OPTIONS"); header("Access-Control-Allow-Headers: *");

What am I missing?

+87
cors .htaccess mod-rewrite rewrite
May 17 '12 at 17:33
source share
9 answers

This should work:

 Header add Access-Control-Allow-Origin "*" Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type" Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
+130
Jul 27 '12 at 16:19
source share

Just for the protocol, I ran into exactly the same problem and none of the answers worked.

I used the header checker tool: http://www.webconfs.com/http-header-check.php

I tested my IP ( http://192.0.2.1/upload ) and I got the following:

 HTTP/1.1 301 Moved Permanently => Date => Sat, 10 Jan 2015 04:03:35 GMT Server => Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1 Location => http://192.0.2.1/upload/ Content-Length => 380 Connection => close Content-Type => text/html; charset=iso-8859-1

A redirect has occurred and the AJAX request does not consider / does not perform redirects.

This turned out to be a missing slash at the end of the domain ( http://192.0.2.1/upload / )

I checked again with a slash at the end, and I got it below. A slash has also been added to the script, and now it works.

 HTTP/1.1 200 OK => Date => Sat, 10 Jan 2015 04:03:53 GMT Server => Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By => PHP/5.3.8 Access-Control-Allow-Origin => * Access-Control-Allow-Methods => PUT, GET, POST, DELETE, OPTIONS Access-Control-Allow-Headers => * Content-Length => 1435 Connection => close Content-Type => text/html

Use this tool to check if your headlines are good and troubleshoot.

+19
Jan 10 '15 at 4:36
source share

I have a hosting on GoDaddy. I also needed an answer to this question, and after a search I found that it was possible.

I wrote a .htaccess file, putting it in the same folder as my action page. Here is the contents of the .htaccess file:

 Header add Access-Control-Allow-Origin "*" Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type" Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"

Here is my ajax call:

  $.ajax({ url: 'http://www.mydomain.com/myactionpagefolder/gbactionpage.php', //server script to process data type: 'POST', xhr: function() { // custom xhr myXhr = $.ajaxSettings.xhr(); if(myXhr.upload){ // check if upload property exists myXhr.upload.addEventListener('progress',progressHandlingFunction, false); // for handling the progress of the upload } return myXhr; }, //Ajax events beforeSend: beforeSendHandler, success: completeHandler, error: errorHandler, // Form data data: formData, //Options to tell JQuery not to process data or worry about content-type cache: false, contentType: false, processData: false });

See this article for reference:

Access-Control-Allow-Origin header set in .htaccess not working

+10
May 2, '13 at 15:54
source share

Be careful with:

  Header add Access-Control-Allow-Origin "*"

It’s not at all wise to give access to everyone. It is advisable to allow a list of only known trusted hosts ...

 Header add Access-Control-Allow-Origin "http://aaa.example" Header add Access-Control-Allow-Origin "http://bbb.example" Header add Access-Control-Allow-Origin "http://ccc.example"

With respect,

+8
07 Oct '16 at 8:55
source share

I activated the header headers of the Apache a2enmod module, and the problem was resolved.

+7
Dec 10 '15 at 4:32
source share

Try this in the .htaccess external root folder

 <IfModule mod_headers.c> Header set Access-Control-Allow-Origin "*" </IfModule>

Be careful: the header adds Access-Control-Allow-Origin "*" It is not wise to give access to everyone at all. I think you should user:

 <IfModule mod_headers.c> Header set Access-Control-Allow-Origin "http://example.com" </IfModule>
+3
Nov 03. '16 at 8:18
source share

I + 1'd Miro will respond to a link to the header site http://www.webconfs.com/http-header-check.php . It triggers a pop-up ad every time it is used, but nonetheless, it is very useful for checking for an Access-Control-Allow-Origin header.

I am reading a .json file from javascript on my web page. I found that adding the following to my .htaccess file fixes the issue when viewing my webpage in IE 11 (version 11.447.14393.0):

 <FilesMatch "\.(json)$"> <IfModule mod_headers.c> Header set Access-Control-Allow-Origin "*" </IfModule> </FilesMatch>

I also added the following to the /etc/httpd.conf file (Apache configuration file):

 AllowOverride All

The header verification site has confirmed that the Access-Control-Allow-Origin header is now being sent (thanks Miro!).

However, Firefox 50.0.2, Opera 41.0.2353.69, and Edge 38.14393.0.0 all retrieve the file anyway, even without the Access-Control-Allow-Origin header. (Note: they can check IP addresses since both domains that I used are hosted on the same server with the same IPv4 address.)

However, Chrome 54.0.2840.99 m (64-bit) ignores the Access-Control-Allow-Origin header and fails anyway, erroneously reports:

No header "Access-Control-Allow-Origin" is present in the requested resource. Therefore, Origin '{mydomain}' is not allowed.

I think this should be something like "first." IE is working correctly; Chrome, Firefox, Opera and Edge do not work; and Chrome is the worst . Is this not the exact opposite of the ordinary case?

+2
Dec 14 '16 at 0:32
source share

After spending half a day without working. Using the header validation service, although everything works. Firewall at work robbed them

0
Apr 6 '16 at 17:56 on
source share

try this:

 <IfModule mod_headers.c> Header set Access-Control-Allow-Credentials true Header set Access-Control-Allow-Origin "your domain" Header set Access-Control-Allow-Headers "X-Requested-With" </IfModule>

It is advisable to allow a list of known trusted hosts.

0
Apr 10 '19 at 5:18
source share


More articles:


All Articles