Unable to resolve the "Access-Control-Allow-Origin" issue
Richard Stanway
r1ch+nginx at teamliquid.net
Fri Apr 14 11:31:26 UTC 2017
You're correct - placing the username and password in the URI is just as
safe as any other method as long as it's going over HTTPS, and the
credentials should never appear in any access logs (unless you specifically
choose to log the Authorization header).
On Fri, Apr 14, 2017 at 6:47 AM, Ajay Garg <ajaygargnsit at gmail.com> wrote:
> Hi Richard.
>
> You have got me thinking ...
> https://username:password@1.2.3.4/ works, even without ANY of the
> "add_header" and "proxy_set_header" directives.
>
> So, now the only thing that worries me is security.
>
> http://stackoverflow.com/questions/4143196/is-get-data-
> also-encrypted-in-https indicates that the URL is safe, in the sense that
> "username" and "password" would not be sniffable through a
> man-in-the-middle attack, right?
>
> Also, since 1.2.3.4 is our own server, so we are not really bothered about
> GET-requests getting logged on the server, so we should be good.
>
> Do I make sense?
>
> Kindly let know your thoughts.
>
>
> Thanks and Regards,
> Ajay
>
> On Thu, Apr 13, 2017 at 11:07 PM, Richard Stanway <
> r1ch+nginx at teamliquid.net> wrote:
>
>> You're missing the "Authorization" header in
>> your Access-Control-Allow-Headers directive.
>>
>> You can alternatively pass the basic auth in your URI, eg xhr.open("GET",
>> "https://username:password@1.2.3.4/") rather than crafting it manually.
>>
>> On Thu, Apr 13, 2017 at 4:50 PM, Ajay Garg <ajaygargnsit at gmail.com>
>> wrote:
>>
>>> Strange, but rebooting the machine caused the credentials-popup to be
>>> seen again :-|
>>> Sorry for the noise here.
>>>
>>> There has been some progress, but still get a "CORS preflight did not
>>> succeed error".
>>> Following is what I am doing.
>>>
>>>
>>> a)
>>> Following is the server-block in /etc/nginx/conf.d/default.conf ::
>>>
>>> ############################################################
>>> ##############
>>> server {
>>>
>>> listen 443 ssl;
>>>
>>> ssl_certificate /etc/nginx/ssl/nginx.crt;
>>> ssl_certificate_key /etc/nginx/ssl/nginx.key;
>>>
>>> add_header 'Access-Control-Max-Age' 1728000 'always';
>>> add_header 'Access-Control-Allow-Origin' $http_origin
>>> 'always';
>>> add_header 'Access-Control-Allow-Credentials' 'true'
>>> 'always';
>>> add_header 'Access-Control-Allow-Methods' 'GET, POST,
>>> OPTIONS' 'always';
>>> add_header 'Access-Control-Allow-Headers'
>>> 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,U
>>> ser-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'
>>> 'always';
>>>
>>> location / {
>>>
>>> auth_basic 'Restricted';
>>> auth_basic_user_file /etc/nginx/ssl/.htpasswd;
>>>
>>> proxy_set_header 'Access-Control-Max-Age'
>>> 1728000;
>>> proxy_set_header 'Access-Control-Allow-Origin'
>>> '*';
>>> proxy_set_header
>>> 'Access-Control-Allow-Credentials' 'true';
>>> proxy_set_header
>>> 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
>>> proxy_set_header
>>> 'Access-Control-Allow-Headers'
>>> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,I
>>> f-Modified-Since,Cache-Control,Content-Type';
>>>
>>> proxy_pass
>>> $forwarded_protocol://127.0.0.1:$forwarded_port;
>>>
>>> }
>>> }
>>> ############################################################
>>> ##############
>>>
>>>
>>>
>>>
>>> b)
>>> Firing the following html from firefox (sensitive information changed) ::
>>>
>>> ############################################################
>>> ##############
>>> <html>
>>> <body>
>>> <script type="text/javascript">
>>> var data = null;
>>>
>>> var xhr = new XMLHttpRequest();
>>> xhr.withCredentials = true;
>>>
>>> xhr.addEventListener("readystatechange", function () {
>>> if (this.readyState === 4) {
>>> console.log(this.responseText);
>>> }
>>> });
>>>
>>> xhr.open("GET", "https://1.2.3.4/");
>>> xhr.setRequestHeader("authorization", "Basic abcdefg");
>>> xhr.setRequestHeader("cache-control", "no-cache");
>>>
>>> xhr.send(data);
>>> </script>
>>> </body>
>>> </html>
>>> ############################################################
>>> ##############
>>>
>>>
>>>
>>> Following is received in the firebug-console (sensitive information
>>> changed) ::
>>>
>>> ############################################################
>>> ##############
>>> GET https://23.253.207.208/
>>> uff.html (line 19)
>>> Headers
>>>
>>> Accept
>>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>> Accept-Encoding gzip, deflate, br
>>> Accept-Language en-US,en;q=0.5
>>> Authorization Basic abcdefg
>>> Cache-Control no-cache
>>> Host 1.2.3.4
>>> Origin null
>>> User-Agent Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0)
>>> Gecko/20100101 Firefox/47.0
>>>
>>>
>>> Cross-Origin Request Blocked: The Same Origin Policy disallows reading
>>> the remote resource at https://1.2.3.4/. (Reason: CORS preflight
>>> channel did not succeed).
>>> ############################################################
>>> ##############
>>>
>>>
>>> I am beginning to believe that I am close to solving the issue (of
>>> course all credit to tremendous help from this list).
>>> I will be grateful for the last bit of help being received by the
>>> really helpful experts here..
>>>
>>> Sorry again for the noise in my previous email.
>>>
>>>
>>> Thanks and Regards,
>>> Ajay
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
>
> --
> Regards,
> Ajay
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170414/76486d2d/attachment-0001.html>
More information about the nginx
mailing list