[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[users@httpd] CORS (Cross Origin Resource Sharing) server side configuration

Good Morning, I'm looking for documentation about setting CORS headers in apache.
The problem is that I need to handle a cors request and be sure I set all the necessasary header in apache.
Right now I het error 401.
Most of all, I can't find good server side documentation on how to handle CORS request!
May you please write a link if that documentation exists?
This is the most complete topic I found but it sounds alchemic.
Ok, here we go with details:

This is the ajax CORS request:

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;"GET", " ");
console.log('open x');
xhr.setRequestHeader("content-type", "application/txt");
xhr.setRequestHeader("authorization", "Basic 3j893njd83jneu32");

The apache server configration related to cors is this:

<VirtualHost *:443>
Header set Access-Control-Allow-Origin ''
Header set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header set Access-Control-Allow-Credentials "true"
Header set Access-Control-Allow-Headers "x-requested-with, content-type, origin, authorization, accept, client-security-token, basic, origin"
(Notice I added 'basic, origin' but I don't know if they are valid heasers.
Nothing change if I remove them).

After sending the request, in the browser console I get the error:

Failed to load Response for preflight has invalid HTTP status code 401.

Here are more client side details:

<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="">
  <s:message>No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured</s:message>

Request URL: z
Request Method: OPTIONS
Status Code: 401 Unauthorized
Remote Address:
Referrer Policy: no-referrer-when-downgrade

Response header
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: x-requested-with, content-type, origin, authorization, accept, client-security-token, basic, origin
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT

Request header
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
Access-Control-Request-Headers: authorization,content-type
Access-Control-Request-Method: GET
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

Server detail

Ubuntu 16.0.4
Apache 2.4.18

Any suggestion is wellcome.

Thank you.