enable-cors.org icon indicating copy to clipboard operation
enable-cors.org copied to clipboard

Published 20 hours ago verified publisher icon monsur

serve the way w3c sez to do it

Open timball opened this issue 9 years ago • 4 comments

The previous version of the nginx configs did not follow the recommendations of the w3c and as a result some clients would balk at the headers being served. This PR fixes issue #102.

--timball

timball avatar Jun 09 '15 19:06 timball

feedback taken. code adjusted.

--timball

timball avatar Jun 10 '15 02:06 timball

pull code ?

timball avatar Jun 23 '15 03:06 timball

Sorry I'm traveling these past two weeks. I'll try to get to this by the end of this week.

On Mon, Jun 22, 2015 at 10:17 PM timball [email protected] wrote:

pull code ?

— Reply to this email directly or view it on GitHub https://github.com/monsur/enable-cors.org/pull/103#issuecomment-114339380 .

monsur avatar Jun 23 '15 03:06 monsur

So what is the current status of permissive CORS setup for nginx, @monsur? I skimmed through all suggestion for past 6 years and this is what I found:

  1. add_header always parameter needed
  2. Change Access-Control-Allow-Origin to $http_origin in order to support cross-origin authentication through Access-Control-Allow-Credentials: true header
  3. Get rid of ifs inside location blocks (https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/)?
  4. Optionally add instructions for alternative way using ngx_headers_more module
  5. Add warnings why this wide-open CORS configuration is dangerous

gurland avatar Apr 01 '21 10:04 gurland