Set Access-Control-Allow-Origin header conditionally in nginx #39
Comments
|
Had this issue today, too. If the backend returns a 202 response Nginx does not add the header. So I've added a CORS middleware in the PHP backend which solved the problem for 202 responses but now I have the same duplicate header issue for other responses. We should remove the CORS header from Nginx. What do you think @sandrokeil ? |
|
If you don't like using a 3rd party middleware like That way it's also more "visible" what is going on. It took me quite some time to figure out where the header got added last time I had the problem. |
|
We can remove the CORS configuration from nginx if it‘s not working properly. Maybe we can also check if a CORS header is present. |
For some weird reason the
Access-Control-Allow-Origin: *header did not work for me. I decided to set the headers in the PHP application by using thetuupola/cors-middlewarepackage. Unfortunately nginx does not seem to care if a specific header is already set which led to a situation where in my response I had theAccess-Control-Allow-Origintwice set. Chrome does not like that and complained with an error. As a quick fix I supplied a custombasic.confconfiguration and removed thecross-domain-insecure.confinclude.Even though my quick fix works, I would love to see a configuration that would set the header only when it's not already set by the PHP application. However that does not seem to do easily with nginx, there's a whole blog post explaining why if is evil in nginx configuration.
One solutions seems to be to make use of the
lua_nginx_module. See https://stackoverflow.com/a/34295867 or https://stackoverflow.com/a/34295867 for an example. It might also be possible to make use of the map feature of nginx: https://serverfault.com/a/598106 - not sure though if that would work in this specific case.The text was updated successfully, but these errors were encountered: