XMLHTTPRequest denied because of Origin mismatch

Question

I get the following error:

Access to XMLHttpRequest at 'http://example:8080/*' from origin 'http://example' has been blocked by CORS policy:

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I am working through Apache web-server, every request I am redirecting to Tomcat, but I am not able to find where to remove the 8080 in response URL, I want to handle from Apache web-server.

I tried with this but no results:

SetEnvIf Origin "^(.*\.example:8080/ccms)$" ORIGIN_SUB_DOMAIN=$1
    Header set Access-Control-Allow-Origin "%{ORIGIN_SUB_DOMAIN}e" env=ORIGIN_SUB_DOMAIN
    Header set Access-Control-Allow-Methods: "*"
    Header set Access-Control-Allow-Headers: "Origin, X-Requested-With, Content-Type, Accept, Authorization"

score 0 · Answer 1 · answered Aug 05 '19 at 21:25

The rule

SetEnvIf Origin "^(.*\.example:8080/ccms)$" ORIGIN_SUB_DOMAIN=$1

makes the variable ORIGIN_SUB_DOMAIN poorly named as it will contain the whole part of the string between the parentheses, so the part and the path part too.

If you want to match only the domain, you need to restrict things further, like so:

SetEnvIf Origin "^(.*\.example):8080/ccms$" ORIGIN_SUB_DOMAIN=$1

The whole path has to match for the variable to be set, but $1 will only be the content inside the () part.

However, your other problem is that the Origin header will never have this form, and hence that will never match.

See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin for a definition:

Origin: <scheme> "://" <hostname> [ ":" <port> ]

There is no path part to it, so your line should be:

SetEnvIf Origin "^(.*\.example):8080$" ORIGIN_SUB_DOMAIN=$1

If you want to restrict its application you need to enclose it in some Location tags, like:

<Location /ccms>
    SetEnvIf Origin "^(.*\.example):8080$" ORIGIN_SUB_DOMAIN=$1

    # your other directives here
</Location>

The variable remains slightly misnamed, as you did not match a subdomain or even a domain, but a full URL, including the schema, since you need it back for Access-Control-Allow-Origin. Of course whatever name you choose for the variable does not change how it works.

As for the other directives: you do not need a ':' when specifying header names for the Header directive. It is allowed, but then I recommend you write all 3 lines in the same way, either always with or always without, no need to introduce diversity here.

XMLHTTPRequest denied because of Origin mismatch

1 Answers1