I have CORS configured for my static subdomain and I can use the static files in my main domain and subdomains.
The problem is that I have a get request inside a javascript file and firefox is complaining only for that request, that is to the same static subdomain than the rest of requests I made on the html code.
I don't remember having this problem before, maybe some change in CORS (firefox) made this not work anymore?
The script (from inside the .js file):
$('#example').DataTable( {
//[...]
language: {
"url": "//static.domain.com/js/DataTables-Spanish.json"
},
//[...]
} );
This is what it actually does, a jquery ajax request method:
if ( oLanguage.sUrl !== "" )
{
/* Get the language definitions from a file - because this Ajax call makes the language
* get async to the remainder of this function we use bInitHandedOff to indicate that
* _fnInitialise will be fired by the returned Ajax handler, rather than the constructor
*/
$.ajax( {
dataType: 'json',
url: oLanguage.sUrl,
success: function ( json ) {
_fnLanguageCompat( json );
_fnCamelToHungarian( defaults.oLanguage, json );
$.extend( true, oLanguage, json );
_fnInitialise( oSettings );
},
error: function () {
// Error occurred loading language file, continue on as best we can
_fnInitialise( oSettings );
}
} );
bInitHandedOff = true;
}
The error in the firefox console:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://static.mydomain.com/js/DataTables-Spanish.json. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
The CORS config (inside the vhost block):
<IfModule mod_headers.c>
SetEnvIfNoCase Origin: "https?://(www\.)?(domain\.com|sub1\.domain\.com)(:\d+)?$" ACAO=$0
Header set Access-Control-Allow-Origin: "%{ACAO}e" env=ACAO
Header set Access-Control-Allow-Methods: "GET"
</IfModule>
Again, as you can see CORS is properly configured in the static subdomain, and I only get the complain for a request that is inside a javascript file.
Why is firefox complaining?
Firefox network monitor
Status: 200 - Method: GET - File: DataTables-Spanish.json - Domain: (green lock) static.domain.com - Cause: script - Type: json
-Request headers:
Host: static.domain.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en,en-US;q=0.7,es;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://sub1.domain.com/site
Origin: https://sub1.domain.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
-Response headers:
Accept-Ranges: bytes
Content-Length: 932
Content-Type: application/json
Date: Fri, 06 Jan 2017 02:34:49 GMT
Etag: "3a4-52ef9645b6940"
Last-Modified: Sat, 26 Mar 2016 20:19:09 GMT
Server: Apache/2.4.25 (Unix) OpenSSL/1.0.2j
X-Firefox-Spdy: h2
access-control-allow-methods: GET
strict-transport-security: max-age=63072000; includeSubdomains;
EDIT: It works ok if I use the wildcard instead of the regex in the config:
<IfModule mod_headers.c>
#SetEnvIfNoCase Origin: "https?://(www\.)?(domain\.com|sub1\.domain\.com)(:\d+)?$" ACAO=$0
#Header set Access-Control-Allow-Origin: "%{ACAO}e" env=ACAO
Header set Access-Control-Allow-Origin: *
Header set Access-Control-Allow-Methods: "GET"
</IfModule>
So now the question is: why is it not working with the regex?
It'll work with the regex if I put that header in the last line:
<IfModule mod_headers.c>
SetEnvIf Origin "https://(www.domain.com|sub1.domain.com|auth.domain.com)$" ACAO=$0
Header set Access-Control-Allow-Methods "GET"
Header always append Access-Control-Allow-Origin "%{ACAO}e" env=ACAO
</IfModule>
The problem was I took the code from another question and didn't noticed the following:
That was doing just the opposite of what I wanted, that is whitelist the domains in the regex:
The other html requests are not supposed to be blocked by cors, so that's why.