[Solved] Setting CORS (cross-origin resource sharing)

[John C]

Hi,
Was hoping someone could help us setting up a rule in .htaccess for CORS policy for Access-Control-Allow-Origin.
We found a bunch of posts on StackOverflow relating to this, all with the same general proposed solution.
We implemented the accepted solution trying a variety of variations .... but none seemed to work.
None of those posters appeared to be running LiteSpeed, so we're not sure if that's the issue and there's something we need to do slightly differently. We're running LS Enterprise 5.2.5 (build 2).

Here's the rule....

SetEnvIf Origin "^http(s)?://(.+\.)?(domain1\.com|domain2\.com|domain3\.com)$" origin_is=$0
Header always append Access-Control-Allow-Origin %{origin_is}e env=origin_is

We have 3 domains all pointing to the same IP and directory where the .htaccess is located.

curl -I domain1
curl -I domain2
curl -I domain3

If we remove the SetEnvIf line and just use:

Header always append Access-Control-Allow-Origin domain1

... it works just fine. It appears to be something with the syntax of the SetEndif line that LiteSpeed does not like.
Please note: I used domain1,2,3 for posting purposes due to privacy reasons ... the rule on the server is using the actual domain names.

Any help is much appreciated. Been fighting with this one for hours.

Thanks.

John

 

[John C]

Anyone on the LiteSpeed staff care to comment on this?
We have about 7 servers running LiteSpeed and will undoubtedly be running into the same issue when we try implementing this for other clients.
Any guidance is greatly appreciated. Thanks.

John

 

[John C]

Well, after much persistence, I was able to figure this out.
The following format worked:

SetEnvIf Host ^(www\.)?domain1\.com$ CORDS_ENV=https://www.domain1.com
SetEnvIf Host ^(www\.)?domain2\.com$ CORDS_ENV=https://www.domain2.com
SetEnvIf Host ^(www\.)?domain3\.com$ CORDS_ENV=https://www.domain3.com
Header always append Access-Control-Allow-Origin %{CORDS_ENV}e env=CORDS_ENV

Credit to Fabian Schmengler on

https://stackoverflow.com/questions/10727720/conditional-setenv-in-htaccess

for the SetEnvIf Host recommendation. I hope this helps someone else.

John

 

[John C]

Small tweak ... had to change "Header always append" to "Header set" to avoid a header injection vulnerability.

SetEnvIf Host ^(www\.)?domain1\.com$ CORDS_ENV=https://www.domain1.com
SetEnvIf Host ^(www\.)?domain2\.com$ CORDS_ENV=https://www.domain2.com
SetEnvIf Host ^(www\.)?domain3\.com$ CORDS_ENV=https://www.domain3.com
Header set Access-Control-Allow-Origin %{CORDS_ENV}e env=CORDS_ENV