Access-Control-Allow-Origin 通配符子域、端口和协议 [英] Access-Control-Allow-Origin wildcard subdomains, ports and protocols

问题描述

我正在尝试为所有子域、端口和协议启用 CORS.

I'm trying to enable CORS for all subdomains, ports and protocol.

例如，我希望能够从 http://sub.mywebsite.com 运行 XHR 请求:8080/ 到 https://www.mywebsite.com/*

For example, I want to be able to run an XHR request from http://sub.mywebsite.com:8080/ to https://www.mywebsite.com/*

通常，我想启用来自匹配的来源的请求(并且仅限于):

Typically, I'd like to enable request from origins matching (and limited to):

//*.mywebsite.com:*/*

推荐答案

基于DaveRandom的answer，我也在玩周围并找到了一个稍微简单的 Apache 解决方案，它产生相同的结果(Access-Control-Allow-Origin 动态设置为当前特定协议 + 域 + 端口)，而不使用任何重写规则:

Based on DaveRandom's answer, I was also playing around and found a slightly simpler Apache solution that produces the same result (Access-Control-Allow-Origin is set to the current specific protocol + domain + port dynamically) without using any rewrite rules:

SetEnvIf Origin ^(https?://.+.mywebsite.com(?::d{1,5})?)$   CORS_ALLOW_ORIGIN=$1
Header append Access-Control-Allow-Origin  %{CORS_ALLOW_ORIGIN}e   env=CORS_ALLOW_ORIGIN
Header merge  Vary "Origin"

就是这样.

那些想要在父域(例如 mywebsite.com)以及所有子域上启用 CORS 的人可以简单地将第一行中的正则表达式替换为这个:

Those who want to enable CORS on the parent domain (e.g. mywebsite.com) in addition to all its subdomains can simply replace the regular expression in the first line with this one:

^(https?://(?:.+.)?mywebsite.com(?::d{1,5})?)$.

注意:对于 规范合规性 和正确的缓存行为，始终为启用 CORS 的资源添加 Vary: Origin 响应标头，即使对于非 CORS 请求和来自不允许来源的请求(请参阅 示例原因).

Note: For spec compliance and correct caching behavior, ALWAYS add the Vary: Origin response header for CORS-enabled resources, even for non-CORS requests and those from a disallowed origin (see example why).

这篇关于Access-Control-Allow-Origin 通配符子域、端口和协议的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！