0

Using apache mod_proxy 2.5 I'm trying to merge or replace an existing access-control-allow-origin header with mod_headers in a proxypass location. the answer returned from proxied backend already includes a access-control-allow-origin header which I'd like to merge or replace

Header always merge Access-Control-Allow-Origin  "*" 
Header always set Access-Control-Allow-Methods "OPTIONS, GET" 
Header always set Access-Control-Max-Age "1000" 
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token, x-smp-appcid"

This results in a header duplicate which raises an error in all browser cause this header can only occur once.

same is for Header always set although this should replace the existing header.

I also tried to use if module to first check for the headers occurence and only set if unset. but it's somehow hard to look into response headers.

any help is appreciated

Quentin Hayot
  • 7,786
  • 6
  • 45
  • 62
Martin
  • 91
  • 1
  • 11

1 Answers1

0

I got through the same problem by setting the Access-Control-Allow-Origin and Access-Control-Allow-Credentials headers only when its a preflight request

The second request ( POST, DELETE, PUT etc ) which is handled by the proxied backend ( which already sends the required headers ) is not a preflight request and hence the headers would not be set again by the Apache rules.

To check for preflight request, you could check whether the request contains:

  1. REQUEST_METHOD == OPTIONS
  2. Access-Control-Request-Method !-= ""
  3. Origin != ""

Hope this helps.

Agraj
  • 466
  • 5
  • 19