How to configure Access-Control-Allow-Origin in a personal account
How to configure Access-Control-Allow-Origin header on the origin side
Check Access-Control-Allow-Origin header
What is CORS?
Access-Control-Allow-Origin
response header is a part of a Cross-Origin Resource Sharing (CORS) mechanism that lets browsers get access to selected resources from a domain different to a domain from which the request is received.
The option sends a response with an Access-Control-Allow-Origin
header in a response to a browser and can help to:
- protect content from using at third-party sites or in third-party applications.
- prevent XMLHttpRequest cannot load http://domain.ru. No’Access-Control-Allow-Origin’ header is present on the requested resource error, which can appear when web fonts are loaded in Firefox, Internet Explorer and other default browsers from the CDN servers.
How does CORS mechanism work?
For example, a user of http://domain1.com.
opens an image that placed on http://cdn-domain.com/image.jpg.
In this case, a user's browser sends e.g. the following request to the server of http://cdn-domain.com/image.jpg
:
GET /image HTTP/1.1
Host: domain2.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081130 Minefield/3.1b3pre
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://domain1.com/examples/access-control/test.html
Origin: http://domain1.com
In this request the most valuable header is Origin
. It tells the server that the request is sent from http://domain1.com.
The server of http://cdn-domain.com/image.jpg
read the Origin
header and accept or reject the request.
If the server accepts the request, it responds to the browser with the Access-Control-Allow-Origin
header. This header allows displaying the requested image for the http://domain1.com
user.
Important! Header parameters (in the example below- "*") depend on the server configuration. Read in detail about this and reasons for accepting and rejecting the request here.
HTTP/1.1 200 OK
Date: Mon, 01 Dec 2020 00:23:53 GMT
Server: Apache/2.0.61
Access-Control-Allow-Origin: *
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/xml
[XML Data]
If the request is not processed by the server, the response to the browser will be sent without Access-Control-Allow-Origin
header and the requested image will not be displayed.
How to configure Access-Control-Allow-Origin header in a personal account.
Go to Advanced Settings in the resource settings. Add the HTTP-header Access-Control-Allow-Origin option from the Access (Security) section.
There are three variants on how to configure this option:
1. *, for all domains: the content can be accessed from any domain.
In this case CDN will send Access-Control-Allow-Origin
header to the browser with the "*" parameter and the content will be available to view.
HTTP/1.1 200 OK
Date: Mon, 01 Dec 2020 00:23:53 GMT
Server: Apache/2.0.61
Access-Control-Allow-Origin: *
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/xml
2. "$http_origin" if an origin is listed below: the content can be accessed only from domains listed in the option field, the domain from which the request was sent will be added to the response.
When a request is received, the CDN matches the Origin
header value and the domains that are specified for the HTTP-Access-Control-Allow-Origin option.
If the Origin
header value matches one of the specified domains, the CDN adds the Access-Control-Allow-Origin
header to the response with the requested domain.
If the Origin header value does not match specified domains, the Access-Control-Allow-Origin
header is not added and the content will not be displayed.
! You can enter up to 20 domains.
For example, in the option settings cdn-domain.com is set:
In this case, if the request for your content is sent from cdn-domain.com
, the user's browser gets the following response and the content will be displayed.
HTTP/1.1 200 OK
Date: Mon, 01 Dec 2008 00:23:53 GMT
Server: Apache/2.0.61
Access-Control-Allow-Origin: https://cdn-domain.com
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/xml
If the request is sent not from cdn-domain.com
, then Access-Control-Allow-Origin
header will not be added to the response to the browser and content will not be displayed.
3. "$http_origin", for all domains: the content can be accessed from any domain and the domain from which the request was sent will be added to the response.
This variant of the option is the same as the first variant, but there is a difference in the response that gets the browser from the server in case of a successful request. The domain from which the request was sent will be added to Access-Control-Allow-Origin
header.
In this case, if the request for your content is sent e.g. from cdn-domain.com
, then this domain will be added to the Access-Control-Allow-Origin
response header and the content will be displayed for a user of cdn-domain.com
.
HTTP/1.1 200 OK
Date: Mon, 01 Dec 2008 00:23:53 GMT
Server: Apache/2.0.61
Access-Control-Allow-Origin: https://cdn-domain.com
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/xml
This option can be useful if for setting specific filtering on the server the "*" parameter is not suitable.
All the files delivered by CDN will contain Access-Control-Allow-Origin Header.
Rules
Configure Access-Control-Allow-Origin Header only for certain files via Rules.
Go to Advanced Settings -> the Security section -> the HTTP-header Access-Control-Allow-Origin option.
If the option is not added to the list, CDN uses the CDN Resource settings for the HTTP-header Access-Control-Allow-Origin option.
If you add an option to the list but do not enable it, the Access-Control-Allow-Origin header will not be added.
How to configure Access-Control-Allow-Origin header on the origin side
Below is an example of configurations for the CORS header settings on an origin.
Access-Control-Allow-Origin HTTP-header allows getting content from any domain.
The Apache Configuration
# ----------------------------------------------------------------------
# CORS-enabled images (@crossorigin)
# ----------------------------------------------------------------------
# Send CORS headers if browsers request them; enabled by default for images.
# developer.mozilla.org/en/CORS_Enabled_Image
# blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html
# hacks.mozilla.org/2011/11/using-cors-to-load-webgl-textures-from-cross-domain-images/
# wiki.mozilla.org/Security/Reviews/crossoriginAttribute
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
# mod_headers, y u no match by Content-Type?!
<FilesMatch "\.(gif|png|jpe?g|svg|svgz|ico|webp)$">
SetEnvIf Origin ":" IS_CORS
Header set Access-Control-Allow-Origin "*" env=IS_CORS
</FilesMatch>
</IfModule>
</IfModule>
# ----------------------------------------------------------------------
# Webfont access
# ----------------------------------------------------------------------
# Allow access from all domains for webfonts.
# Alternatively you could only whitelist your # subdomains like "subdomain.example.com".
<IfModule mod_headers.c>
<FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
The Nginx Configuration
location ~ \.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$ {
add_header Access-Control-Allow-Origin "*";
}
Check Access-Control-Allow-Origin header
1. Purge the CDN Resource cache.
2. Use one of the check methods presented below.
Use the cURL command in a terminal (MacOS) and cmd (WindowsOS)
1. In the terminal, specify: curl -I http://cdn.example.ru/js/intlTelInput/css/intlTelInput.css
Where http://cdn.example.ru/js/intlTelInput/css/intlTelInput.css is a link to a file integrated with CDN.
2. You will get an output. Pay attention to the Access-Control-Allow-Origin header.
HTTP/1.1 200 OK
Server: nginx/1.13.1
Date: Fri, 09 Jun 2017 12:54:24 GMT
Content-Type: image/jpeg
Content-Length: 124024
Connection: keep-alive
X-Image-Generated: 29
X-Image-Meta: 1024x768
X-Image-Read: 71
Expires: Wed, 06 Dec 2017 12:51:43 GMT
Cache-Control: max-age=15552000
Access-Control-Allow-Origin: *
Last-Modified: Sun, 01 Jan 2017 12:00:00 GMT
Cache-Control: max-age=315360000, public
Cache: HIT
X-Cached-Since: 2017-06-09T12:51:43+00:00
X-ID: m9-up-e245
3. If there is the required header, the Access-Control-Allow-Origin header is configured.
Use a browser developer console
1.Open a browser (e.g. Google Chrome).
2. Open your site.
3. Press F12 (to open a developer console)
4. Choose the Network tab.
5. Refresh the page (press F5). You will get the list of all files downloaded from your site.
6.Find the required file (e.g: jpeg, png) integrated with the CDN and click on it. For a faster search, use the filter in the panel left corner.
7. On the Headers tab on the right, you will find the headers set on your origin.
8. If there is the required header, the Access-Control-Allow-Origin header is configured.