-1

On my production server, a weird CORS-issue has appeared that makes no sense to me.

Access to XMLHttpRequest at 'https://example.org/update' from origin 'https://www.example.org' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

(example.org is just a placeholder for my actual domain)

I have checked this issue and also that issue, but both of these issues could be solved by either disabling the policy (really bad idea for production) or checking that both the requesting and the replying url matched the same protocol.

I have checked both. I am out of ideas. Does anyone have a tip on where to look next?

If this is in any way relevant, my production server is on a LAMP webhost. I do not have access to https.conf but I have this in my .htaccess file:

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
fridde
  • 472
  • 1
  • 5
  • 17

1 Answers1

1

They are not the same domain. If not specified, then subdomains are treated as different origins. You either have to write these origins to your cors policy or use a rewrite condition and rule.

Try this:

RewriteCond %{HTTP_HOST} ^www\.example\.org$
RewriteRule ^/(.*)$ http://example.org/$1 [R=301,L]

This will rewrite http://www.example.org/update to http://example.org/update

Tarik Tutuncu
  • 790
  • 4
  • 12
  • Wow, that was impressive and fast! Thank you! I didn't realize that subdomains are considered in the CORS-policy. I learned something important today! – fridde Dec 05 '18 at 13:55