I am looking to set up my (Red Hat Linux/Apache 2.2.3) website to allow Ajax calls from HTML5 apps written in Javascript where these scripts might be hosted elsewhere.
This is what CORS is all about.
There are many descriptions of how to enable CORS via mod_headers. Just about all of them set the Access-Control-Allow-Origin header to "*" which opens the site up to the world.
But the Same-origin policy is in place for a reason and this level of access raises real security questions.
How can I whitelist the sites (could be dozens of them, but sites of people I have business relationships with) I want without opening my site to the world?
The only discussion I've seen that discusses this is http://blog.blakesimpson.co.uk/read/64-apache-configure-cors-headers-for-whitelist-domains but:
- That page, while insightful, was not thorough.
- The approach does not look manageable with a largish number of allowed origins.
What are security-conscious web administrators doing?
You can put your all whitelisted domain as below and also define generic regexp match for more flexibel to whitelist domains.
<IfModule mod_headers.c>
##########################################################################
# 1.) ENABLE CORS PRE-FLIGHT REQUESTS
# e.g. PUT, DELETE, OPTIONS, ...
# we need to set Access-Control-Allow-Headers and
# Access-Control-Allow-Methods for allowed domain(s)
##########################################################################
# first check for pre-flight headers and set as environment variables
# e.g. header method-a is set here
SetEnvIf ^Access-Control-Request-Method$ "method-a" METHOD_A
SetEnvIf ^Access-Control-Request-Headers$ "^Content-Type$" HEADER_A
# set corresponding response pre-flight headers for allowed domain(s)
Header set Access-Control-Request-Methods "method-a" env=METHOD_A
Header set Access-Control-Request-Headers "content-type" env=HEADER_A
# TODO: add allowed additional pre-flight requests here...
#########################################################################
# 2.) ENABLE CORS *SIMPLE REQUESTS* (vs. Pre-Flight Requests from above)
# e.g. GET, POST and HEAD requests
# we need to set Access-Control-Allow-Origin header for allowed domain(s)
# also note that POST requests need to match one of the following
# Content-Type:
# 1) application/x-www-form-urlencoded
# 2) multipart/form-data
# 3) text/plain
#########################################################################
# e.g. origin = https://host-b.local
SetEnvIfNoCase Origin "https://host-b.local" AccessControlAllowOrigin=$0
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
# generic regexp match for more flexibel use cases
#SetEnvIfNoCase Origin "((http(s?))?://(www\.)?(host\-a|host\-b)\.local)(:\d+)?$" AccessControlAllowOrigin=$0
#Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
# TODO: add additional whitelisted domain here...
</IfModule>
