I'm new to CORS and found out that the OPTIONS pre-check request sent by the browser does not include user credentials. How to get a filter (in httpd.conf) to respond to OPTIONS requests differently, that is, bypassing authentication?
This is my current configuration:
<LocationMatch /api> SetEnvIfNoCase Origin "https://(www\.)?(domain1\.com|domain2\.com)(:\d+)?$" AccessControlAllowOrigin=$0 Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin Header set Access-Control-Allow-Credentials "true" Header set Access-Control-Allow-Methods "GET,POST,DELETE,OPTIONS" Header set Access-Control-Allow-Headers "Accept, Authorization, Origin, Content-Type" AuthFormProvider ldap AuthLDAPURL "ldap://localhost:10889/ou=Users,dc=work,dc=com?uid" AuthLDAPGroupAttribute member AuthLDAPGroupAttributeIsDN on Require valid-user ErrorDocument 401 /login.html ErrorDocument 500 /error.html AuthType form AuthName realm Session On SessionMaxAge 1800 SessionDBDCookieName session path=/ ProxyPass http://localhost:8080 timeout=31536000 AuthFormFakeBasicAuth On </LocationMatch>
And javascript that makes the request:
$.ajax({ type : "DELETE", url : "https://www.domain1.com/api", xhrFields: { withCredentials: true, }, success : function(data){ }, });
I tried the following but no luck:
(but)
RewriteEngine On RewriteCond %{REQUEST_METHOD} OPTIONS RewriteRule ^(.*)$ $1 [R=200,L,E=HTTP_ORIGIN:%{HTTP:ORIGIN}]
(b)
<Limit OPTIONS> Header always set Access-Control-Allow-Origin "*" Header always set Access-Control-Allow-Credentials "false" Header always set Access-Control-Allow-Headers "Accept, Authorization, Origin, Content-Type" Header always set Access-Control-Allow-Methods "GET,POST,DELETE,OPTIONS,PUT" </Limit>
(from)
<Limit OPTIONS> Allow for all </Limit>
(g)
SetEnvIfNoCase Request_Method OPTIONS allowed
Any idea? Please, help!
ajax cors apache .htaccess
user3802087
source share