多域的访问控制允许起源,以一种更简单的方式

时间:2022-04-03 11:04:05
header('Access-Control-Allow-Origin: http://splash.example.com');
header('Access-Control-Allow-Credentials: true');

Hello again *!

你好再* !

On my website, I have an ajax file ajax.php, where I need multiple (sub) domains to access it and fire requests.

在我的网站上,我有一个ajax文件。php,我需要多个(子)域来访问它并发出请求。

The problem is that it works for splash.example.com and example.com with the solution posted above, and this in the request:

问题是它适用于splash.example.com和example.com,上面有解决方案,请求中是这样的:

$.ajax({
    ...

    crossDomain: true,
    xhrFields: {
        withCredentials: true
    },

    ...
});

But isn't there an easier way? 'Cause right now it isn't working for www.example.com, even with the solution posted above.

但难道没有更简单的方法吗?因为现在它在www.example.com上不起作用,即使上面有解决方案。

I've tried putting this in my htaccess:

我试着把这个放到我的htaccess中:

<IfModule mod_headers.c>
    Header add Access-Control-Allow-Origin "http://example.com"
    Header add Access-Control-Allow-Origin "http://www.example.com"
    Header add Access-Control-Allow-Origin "http://splash.example.com"
    Header set Access-Control-Allow-Credentials true
</IfModule>

but this didn't work somehow.

但这并不奏效。

Can you guys help me?

你们能帮我吗?

2 个解决方案

#1


5  

The preferred method would be to read the request header, find the origin, check it in your server side code. If the domain is allowed to access the page, send back the origin domain in one single Access-Control-Allow-Origin header.

首选的方法是读取请求头,找到源,在服务器端代码中检查它。如果域被允许访问该页面,则在一个访问控制允许源的头中返回源域。

Another pro: No other domain user would see the list of allowed domains. Every user would only see his own domain (if allowed).

另一个好处是:没有其他域用户会看到允许的域列表。每个用户只能看到自己的域(如果允许的话)。

#2


3  

Had this issue too several weeks ago and found this great solution.

这个问题在几个星期前就有了,并且找到了这个伟大的解决方案。

It allows access to any sub-domain by dynamically looking at the HTTP_Origin header, extracting the sub-domain of the origin host, and using that in the Access-Control-Allow-Origin header.

它允许通过动态查看HTTP_Origin头来访问任何子域,提取源主机的子域,并在访问控制-允许源头中使用它。

Just add the following to your .htaccess file:

只需将以下内容添加到.htaccess文件:

<IfModule mod_headers.c>
<IfModule mod_rewrite.c>
  # Dynamically change the Access-Control-Allow-Origin header to match the sub-domain the request is coming from
  # Define the root domain that is allowed
  SetEnvIf Origin .+ ACCESS_CONTROL_ROOT=example.com
  # Check that the Origin: matches the defined root domain and capture it in an environment var if it does
  RewriteEngine On
  RewriteCond %{ENV:ACCESS_CONTROL_ROOT} !=""
  RewriteCond %{ENV:ACCESS_CONTROL_ORIGIN} =""
  RewriteCond %{ENV:ACCESS_CONTROL_ROOT}&%{HTTP:Origin} ^([^&]+)&(https?://(?:.+?\.)?\1(?::\d{1,5})?)$
  RewriteRule .* - [E=ACCESS_CONTROL_ORIGIN:%2]
  # Set the response header to the captured value if there was a match
  Header set Access-Control-Allow-Origin %{ACCESS_CONTROL_ORIGIN}e env=ACCESS_CONTROL_ORIGIN

  # Allow credentials to enable cookies being sent cross domain, so the user can stay logged is as long as the session file is available to both domains
  Header set Access-Control-Allow-Credentials "true"

  # Set here the headers needed for the AJAX requests, if a needed header is not in this list you will see an error in Chrome mentioning which header needs to be added here
  Header set Access-Control-Allow-Headers "sender, filename, content-type, accept, x-requested-with, x-request"
</IfModule>
</IfModule>

#1


5  

The preferred method would be to read the request header, find the origin, check it in your server side code. If the domain is allowed to access the page, send back the origin domain in one single Access-Control-Allow-Origin header.

首选的方法是读取请求头,找到源,在服务器端代码中检查它。如果域被允许访问该页面,则在一个访问控制允许源的头中返回源域。

Another pro: No other domain user would see the list of allowed domains. Every user would only see his own domain (if allowed).

另一个好处是:没有其他域用户会看到允许的域列表。每个用户只能看到自己的域(如果允许的话)。

#2


3  

Had this issue too several weeks ago and found this great solution.

这个问题在几个星期前就有了,并且找到了这个伟大的解决方案。

It allows access to any sub-domain by dynamically looking at the HTTP_Origin header, extracting the sub-domain of the origin host, and using that in the Access-Control-Allow-Origin header.

它允许通过动态查看HTTP_Origin头来访问任何子域,提取源主机的子域,并在访问控制-允许源头中使用它。

Just add the following to your .htaccess file:

只需将以下内容添加到.htaccess文件:

<IfModule mod_headers.c>
<IfModule mod_rewrite.c>
  # Dynamically change the Access-Control-Allow-Origin header to match the sub-domain the request is coming from
  # Define the root domain that is allowed
  SetEnvIf Origin .+ ACCESS_CONTROL_ROOT=example.com
  # Check that the Origin: matches the defined root domain and capture it in an environment var if it does
  RewriteEngine On
  RewriteCond %{ENV:ACCESS_CONTROL_ROOT} !=""
  RewriteCond %{ENV:ACCESS_CONTROL_ORIGIN} =""
  RewriteCond %{ENV:ACCESS_CONTROL_ROOT}&%{HTTP:Origin} ^([^&]+)&(https?://(?:.+?\.)?\1(?::\d{1,5})?)$
  RewriteRule .* - [E=ACCESS_CONTROL_ORIGIN:%2]
  # Set the response header to the captured value if there was a match
  Header set Access-Control-Allow-Origin %{ACCESS_CONTROL_ORIGIN}e env=ACCESS_CONTROL_ORIGIN

  # Allow credentials to enable cookies being sent cross domain, so the user can stay logged is as long as the session file is available to both domains
  Header set Access-Control-Allow-Credentials "true"

  # Set here the headers needed for the AJAX requests, if a needed header is not in this list you will see an error in Chrome mentioning which header needs to be added here
  Header set Access-Control-Allow-Headers "sender, filename, content-type, accept, x-requested-with, x-request"
</IfModule>
</IfModule>