Access-Control-Allow-Origin通配符子域，端口和协议 [英] Access-Control-Allow-Origin wildcard subdomains, ports and protocols

问题描述

我正在为所有子域，端口和协议启用CORS。

I'm trying to enable CORS for all subdomains, ports and protocol.

例如，我想能够从 http://sub.mywebsite.com:8080/ 到 https://www.mywebsite.com/ *

For example, I want to be able to run an XHR request from http://sub.mywebsite.com:8080/ to https://www.mywebsite.com/*

通常，我想启用来自匹配（且限于）的来源的请求：

Typically, I'd like to enable request from origins matching (and limited to):

// *。mywebsite.com：* / *

推荐答案

根据DaveRandom的回答，我也在玩，发现了一些东西比较简单，产生相同的结果，而不使用任何重写规则：

Based on DaveRandom's answer, I was also playing around and found something a bit simpler that produces the same result without using any rewrite rules:

SetEnvIf Origin ^(https?://.+\.mywebsite\.com(?::\d{1,5})?)$   CORS_ALLOW_ORIGIN=$1
Header append Access-Control-Allow-Origin  %{CORS_ALLOW_ORIGIN}e   env=CORS_ALLOW_ORIGIN
Header merge  Vary "Origin"

就是这样。

那些想在父域上启用CORS的用户（例如mywebsite.com）除了其所有的子域名可以简单地替换第一行中的正则表达式与这一个：

Those who want to enable CORS on the parent domain (e.g. mywebsite.com) in addition to all its subdomains can simply replace the regular expression in the first line with this one:

^（https？ //(?:.+ \。）？mywebsite\.com（？:: \d {1,5}）？）$ 。

注意：对于规范合规性和正确的缓存行为，ALWAYS为CORS启用的资源添加 Vary：Origin 响应头，即使对于非CORS请求和来自不允许的源的请求头（参见为什么）。

Note: For spec compliance and correct caching behavior, ALWAYS add the Vary: Origin response header for CORS-enabled resources, even for non-CORS requests and those from a disallowed origin (see example why).

这篇关于Access-Control-Allow-Origin通配符子域，端口和协议的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！