All geek questions in one place

How to add CORS (cross-origin policy) to all domains in NGINX?

I created a folder that will be used to serve static files (CSS, images, fonts and JS, etc.). I ended up CNAME folders in a subdomain for use on CDN to work with my Magento 2 setup.

I want to allow access to all ALL domains through CORS - Cross Origin Policy, and I also want to cache data. This is what I have. (I am not asking for security suggestions or JSONP tips - I want global access to the file directory)

location /cdn-directory/ { location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2|zip|gz|gzip|bz2|csv|xml)$ { add_header Cache-Control "public"; add_header X-Frame-Options "ALLOW-FROM *"; expires +1y; } }

According to the documentation, he says that X-Frame-Options supports ALLOW-FROM uri , but cannot see examples of using * (all domains) or adding specific several domains to this ALLOW-FROM . I need to allow all domains access to my static files folder.

+5
source share
5 answers
 location /cdn-directory/ { location ~* \.(js|css|swf|eot|ttf|otf|woff|woff2)$ { add_header 'Cache-Control' 'public'; add_header 'X-Frame-Options' 'ALLOW-FROM *'; add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; expires +1y; } }

http://enable-cors.org/server_nginx.html

+3
source

Allow all domains to embed resources (for example, inside iframe , etc.) by default and, therefore, do not require additional headers.

The sole purpose of the X-Frame-Options HTTP response header is to prohibit embedding interactive resources in the iframe an external site, so if your intention is ALLOW-FROM * (which really should not be a valid directive as above) then you just have to completely omit this whole header, and everyone can have full and proper access to your static resources from any domain, as you like.

+4
source

I have not tried nginx, but allow the start of the current request in tomcat:

 add_header X-Frame-Options "ALLOW-FROM $http_origin";
+3
source

Assuming you really want to use CORS (Cross Origin Request Sharing), and not just embed the iframe configuration:

 location /cdn-directory/ { location ~* \.(js|css|swf|eot|ttf|otf|woff|woff2)$ { add_header Cache-Control "public"; add_header Access-Control-Allow-Origin: * expires +1y; } }
+3
source

This might be redundant, but I used the following headers to install Magento 1.8.x for CORS:

 add_header 'Access-Control-Allow-Origin' "*"; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE, PUT'; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-Alive,Content-Type';
0
source

Source: https://habr.com/ru/post/1242185/

More articles:


All Articles