Unable to resolve the "Access-Control-Allow-Origin" issue

Ajay Garg ajaygargnsit at gmail.com
Fri Apr 14 04:47:15 UTC 2017 

Hi Richard.

You have got me thinking ...
https://username:password@1.2.3.4/ works, even without ANY of the
"add_header" and "proxy_set_header" directives.

So, now the only thing that worries me is security.

http://stackoverflow.com/questions/4143196/is-get-data-also-encrypted-in-https
indicates that the URL is safe, in the sense that "username" and "password"
would not be sniffable through a man-in-the-middle attack, right?

Also, since 1.2.3.4 is our own server, so we are not really bothered about
GET-requests getting logged on the server, so we should be good.

Do I make sense?

Kindly let know your thoughts.


Thanks and Regards,
Ajay

On Thu, Apr 13, 2017 at 11:07 PM, Richard Stanway <r1ch+nginx at teamliquid.net
> wrote:

> You're missing the "Authorization" header in your Access-Control-Allow-Headers
> directive.
>
> You can alternatively pass the basic auth in your URI, eg xhr.open("GET", "
> https://username:password@1.2.3.4/") rather than crafting it manually.
>
> On Thu, Apr 13, 2017 at 4:50 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:
>
>> Strange, but rebooting the machine caused the credentials-popup to be
>> seen again :-|
>> Sorry for the noise here.
>>
>> There has been some progress, but still get a "CORS preflight did not
>> succeed error".
>> Following is what I am doing.
>>
>>
>> a)
>> Following is the server-block in /etc/nginx/conf.d/default.conf ::
>>
>> ############################################################
>> ##############
>> server {
>>
>>                 listen 443 ssl;
>>
>>                 ssl_certificate /etc/nginx/ssl/nginx.crt;
>>                 ssl_certificate_key /etc/nginx/ssl/nginx.key;
>>
>>                 add_header 'Access-Control-Max-Age' 1728000 'always';
>>                 add_header 'Access-Control-Allow-Origin' $http_origin
>> 'always';
>>                 add_header 'Access-Control-Allow-Credentials' 'true'
>> 'always';
>>                 add_header 'Access-Control-Allow-Methods' 'GET, POST,
>> OPTIONS' 'always';
>>                 add_header 'Access-Control-Allow-Headers'
>> 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,
>> User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'
>> 'always';
>>
>>                 location / {
>>
>>                         auth_basic 'Restricted';
>>                         auth_basic_user_file /etc/nginx/ssl/.htpasswd;
>>
>>                         proxy_set_header 'Access-Control-Max-Age' 1728000;
>>                         proxy_set_header 'Access-Control-Allow-Origin'
>> '*';
>>                         proxy_set_header
>> 'Access-Control-Allow-Credentials' 'true';
>>                         proxy_set_header
>> 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
>>                         proxy_set_header
>> 'Access-Control-Allow-Headers'
>> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,
>> If-Modified-Since,Cache-Control,Content-Type';
>>
>>                         proxy_pass
>> $forwarded_protocol://127.0.0.1:$forwarded_port;
>>
>>                 }
>>         }
>> ############################################################
>> ##############
>>
>>
>>
>>
>> b)
>> Firing the following html from firefox (sensitive information changed) ::
>>
>> ############################################################
>> ##############
>> <html>
>> <body>
>> <script type="text/javascript">
>> var data = null;
>>
>> var xhr = new XMLHttpRequest();
>> xhr.withCredentials = true;
>>
>> xhr.addEventListener("readystatechange", function () {
>>       if (this.readyState === 4) {
>>               console.log(this.responseText);
>>                 }
>> });
>>
>> xhr.open("GET", "https://1.2.3.4/");
>> xhr.setRequestHeader("authorization", "Basic abcdefg");
>> xhr.setRequestHeader("cache-control", "no-cache");
>>
>> xhr.send(data);
>> </script>
>> </body>
>> </html>
>> ############################################################
>> ##############
>>
>>
>>
>> Following is received in the firebug-console (sensitive information
>> changed) ::
>>
>> ############################################################
>> ##############
>> GET https://23.253.207.208/
>> uff.html (line 19)
>> Headers
>>
>> Accept
>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> Accept-Encoding   gzip, deflate, br
>> Accept-Language   en-US,en;q=0.5
>> Authorization         Basic abcdefg
>> Cache-Control       no-cache
>> Host                     1.2.3.4
>> Origin                    null
>> User-Agent            Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0)
>> Gecko/20100101 Firefox/47.0
>>
>>
>> Cross-Origin Request Blocked: The Same Origin Policy disallows reading
>> the remote resource at https://1.2.3.4/. (Reason: CORS preflight
>> channel did not succeed).
>> ############################################################
>> ##############
>>
>>
>> I am beginning to believe that I am close to solving the issue (of
>> course all credit to tremendous help from this list).
>> I will be grateful for the last bit of help being received by the
>> really helpful experts here..
>>
>> Sorry again for the noise in my previous email.
>>
>>
>> Thanks and Regards,
>> Ajay
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170414/a1d38089/attachment.html>

More information about the nginx mailing list