8

I don't know much about working with .htaccess files. I've tried researching. So, maybe someone could help me out on here. I want to allow https and http at the same time. Let me explain.

http is working but a website on HTTPS is giving me a error in the console

XMLHttpRequest cannot load https://domain1.com/data.json. The 'Access-Control-Allow-Origin' header has a value 'https://www.domain1.coms' that is not equal to the supplied origin. Origin 'https://www.domain1.com' is therefore not allowed access.

If I change the "http" to "https" it works for the https website but then the http website doesn't work. How do I allow both at the same time?

I hope that made any sense to you guys! Thank you for any help!


Here is my code:

<IfModule mod_headers.c>
    SetEnvIf Origin "http(s)?://(www\.)?(domain.com|domain2.com|domain3.com|domain4.com|domain5.com)$" AccessControlAllowOrigin=$0$1
    Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    Header set Access-Control-Allow-Credentials true
</IfModule>
  • 1
    I hope I've understood this correctly, but if you're happy for users to access your website through `http` or `https` then you don't actually need to do anything in your `.htaccess`. Generally, you use `.htaccess` to force one or the other, or for specific pages etc. Like wp-admin for example. The user will be able to type either `http` or `https` and the secure version will work if they wish to use it. – Joe Mar 22 '17 at 14:59
  • Thank you for this! –  Mar 31 '17 at 21:57

4 Answers4

2

As another answer has pointed out, the $1 should be removed as it is the s from https:// being appended to the end of the URL, so it should be changed to:

SetEnvIf Origin "http(s)?://(www\.)?(domain.com|domain2.com|domain3.com|domain4.com|domain5.com)$" AccessControlAllowOrigin=$0

This will make sure AccessControlAllowOrigin is set to the exact value of the Origin header.

I think the reason for http:// to work sometimes and https:// sometimes is because the browser most likely caches the response from the server. So you should either respond with both http:// and https://, or you should specify the Vary: Origin header to inform the browser that the response depends on the Origin header.

I would also suggest changing Header add to Header set, Header merge or Header append, since the mod_headers documentation states:

add
The response header is added to the existing set of headers, even
if this header already exists. This can result in two (or more)
headers having the same name. This can lead to unforeseen
consequences, and in general set, append or merge should be used
instead.

So, my suggestion is to specify the Vary header:

<IfModule mod_headers.c>
    SetEnvIf Origin "http(s)?://(www\.)?(domain.com|domain2.com|domain3.com|domain4.com|domain5.com)$" AccessControlAllowOrigin=$0
    Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    Header set Access-Control-Allow-Credentials true
    Header merge Vary Origin
</IfModule>

Or specify both http:// and https://:

<IfModule mod_headers.c>
    SetEnvIf Origin "https?://(www\.)?(domain.com|domain2.com|domain3.com|domain4.com|domain5.com)$" AccessControlAllowOrigin=$1$2
    Header append Access-Control-Allow-Origin http://%{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    Header append Access-Control-Allow-Origin https://%{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    Header set Access-Control-Allow-Credentials true
    Header merge Vary Origin
</IfModule>
Victor Jerlin
  • 526
  • 3
  • 7
1

This answer seems to provide some useful information on this. However, it looks like you may be trying to load the content from a different website due to a typo.

XMLHttpRequest cannot load https://domain1.com/data.json. The 'Access-Control-Allow-Origin' header has a value 'https://www.domain1.coms' that is not equal to the supplied origin. Origin 'https://www.domain1.com' is therefore not allowed access.

The TLD is .coms, make sure it's requesting the resource from the right place, so from .com instead.

Community
  • 1
  • 1
1

Well, there are ways first is by creating virtual host. To do this neeed to make change http conf file.

<VirtualHost *:80>
ServerName 'http://www.domain1.com'
DocumentRoot /var/www/your-domain-root
</VirtualHost>

<VirtualHost *:443>
DocumentRoot /var/www/your-domain-root
ServerName 'https://www.domain1.com'
SSLEngine On
SSLOptions +StrictRequire
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
SSLProtocol TLSv1
</VirtualHost>

Secondly, we can do this using htaccess. In htaccess we can use 301 redirects. Website in ssl(http://) will be our base website and non ssl(http://) website will be secondary. Redirect all requests from http:// to https://. For redirecting you can use 301 redirects or mod_rewrite any.

Let me know if it was helpful.

Mohit Verma
  • 79
  • 9
0

[I am replying here because I can't reply to @Daniel James's answer.]

I have the same situation as OP's. The 's' at the end of 'com' is not a typo. If I change the rule to:

SetEnvIf Origin "http(s)?://(www\.)?(domain.com|domain2.com|domain3.com|domain4.com|domain5.com)$" AccessControlAllowOrigin=$0

which is without the $1 at the end, it works fine with requests from https pages, but it blocks the ones from http.

If I leave the $1, the http ones work, but not the https.

[Later edit]

I am awarding the bounty to Victor Jerlin, as his first suggestion worked for me. Thank you so much!

andreini
  • 188
  • 1
  • 3
  • 17