Unable to resolve the "Access-Control-Allow-Origin" issue

Ajay Garg ajaygargnsit at gmail.com
Fri Apr 14 13:13:26 UTC 2017


Thanks a ton Richard !!

I will ask my colleague if this works in angularjs on Monday; my gut feel
is it will :)
Thanks a ton guys !!!


Thanks and Regards,
Ajay

On Fri, Apr 14, 2017 at 5:01 PM, Richard Stanway <r1ch+nginx at teamliquid.net>
wrote:

> You're correct - placing the username and password in the URI is just as
> safe as any other method as long as it's going over HTTPS, and the
> credentials should never appear in any access logs (unless you specifically
> choose to log the Authorization header).
>
> On Fri, Apr 14, 2017 at 6:47 AM, Ajay Garg <ajaygargnsit at gmail.com> wrote:
>
>> Hi Richard.
>>
>> You have got me thinking ...
>> https://username:password@1.2.3.4/ works, even without ANY of the
>> "add_header" and "proxy_set_header" directives.
>>
>> So, now the only thing that worries me is security.
>>
>> http://stackoverflow.com/questions/4143196/is-get-data-also-
>> encrypted-in-https indicates that the URL is safe, in the sense that
>> "username" and "password" would not be sniffable through a
>> man-in-the-middle attack, right?
>>
>> Also, since 1.2.3.4 is our own server, so we are not really bothered
>> about GET-requests getting logged on the server, so we should be good.
>>
>> Do I make sense?
>>
>> Kindly let know your thoughts.
>>
>>
>> Thanks and Regards,
>> Ajay
>>
>> On Thu, Apr 13, 2017 at 11:07 PM, Richard Stanway <
>> r1ch+nginx at teamliquid.net> wrote:
>>
>>> You're missing the "Authorization" header in
>>> your Access-Control-Allow-Headers directive.
>>>
>>> You can alternatively pass the basic auth in your URI, eg
>>> xhr.open("GET", "https://username:password@1.2.3.4/") rather than
>>> crafting it manually.
>>>
>>> On Thu, Apr 13, 2017 at 4:50 PM, Ajay Garg <ajaygargnsit at gmail.com>
>>> wrote:
>>>
>>>> Strange, but rebooting the machine caused the credentials-popup to be
>>>> seen again :-|
>>>> Sorry for the noise here.
>>>>
>>>> There has been some progress, but still get a "CORS preflight did not
>>>> succeed error".
>>>> Following is what I am doing.
>>>>
>>>>
>>>> a)
>>>> Following is the server-block in /etc/nginx/conf.d/default.conf ::
>>>>
>>>> ############################################################
>>>> ##############
>>>> server {
>>>>
>>>>                 listen 443 ssl;
>>>>
>>>>                 ssl_certificate /etc/nginx/ssl/nginx.crt;
>>>>                 ssl_certificate_key /etc/nginx/ssl/nginx.key;
>>>>
>>>>                 add_header 'Access-Control-Max-Age' 1728000 'always';
>>>>                 add_header 'Access-Control-Allow-Origin' $http_origin
>>>> 'always';
>>>>                 add_header 'Access-Control-Allow-Credentials' 'true'
>>>> 'always';
>>>>                 add_header 'Access-Control-Allow-Methods' 'GET, POST,
>>>> OPTIONS' 'always';
>>>>                 add_header 'Access-Control-Allow-Headers'
>>>> 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,U
>>>> ser-Agent,X-Requested-With,If-Modified-Since,Cache-Control,C
>>>> ontent-Type'
>>>> 'always';
>>>>
>>>>                 location / {
>>>>
>>>>                         auth_basic 'Restricted';
>>>>                         auth_basic_user_file /etc/nginx/ssl/.htpasswd;
>>>>
>>>>                         proxy_set_header 'Access-Control-Max-Age'
>>>> 1728000;
>>>>                         proxy_set_header 'Access-Control-Allow-Origin'
>>>> '*';
>>>>                         proxy_set_header
>>>> 'Access-Control-Allow-Credentials' 'true';
>>>>                         proxy_set_header
>>>> 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
>>>>                         proxy_set_header
>>>> 'Access-Control-Allow-Headers'
>>>> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,I
>>>> f-Modified-Since,Cache-Control,Content-Type';
>>>>
>>>>                         proxy_pass
>>>> $forwarded_protocol://127.0.0.1:$forwarded_port;
>>>>
>>>>                 }
>>>>         }
>>>> ############################################################
>>>> ##############
>>>>
>>>>
>>>>
>>>>
>>>> b)
>>>> Firing the following html from firefox (sensitive information changed)
>>>> ::
>>>>
>>>> ############################################################
>>>> ##############
>>>> <html>
>>>> <body>
>>>> <script type="text/javascript">
>>>> var data = null;
>>>>
>>>> var xhr = new XMLHttpRequest();
>>>> xhr.withCredentials = true;
>>>>
>>>> xhr.addEventListener("readystatechange", function () {
>>>>       if (this.readyState === 4) {
>>>>               console.log(this.responseText);
>>>>                 }
>>>> });
>>>>
>>>> xhr.open("GET", "https://1.2.3.4/");
>>>> xhr.setRequestHeader("authorization", "Basic abcdefg");
>>>> xhr.setRequestHeader("cache-control", "no-cache");
>>>>
>>>> xhr.send(data);
>>>> </script>
>>>> </body>
>>>> </html>
>>>> ############################################################
>>>> ##############
>>>>
>>>>
>>>>
>>>> Following is received in the firebug-console (sensitive information
>>>> changed) ::
>>>>
>>>> ############################################################
>>>> ##############
>>>> GET https://23.253.207.208/
>>>> uff.html (line 19)
>>>> Headers
>>>>
>>>> Accept
>>>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>>> Accept-Encoding   gzip, deflate, br
>>>> Accept-Language   en-US,en;q=0.5
>>>> Authorization         Basic abcdefg
>>>> Cache-Control       no-cache
>>>> Host                     1.2.3.4
>>>> Origin                    null
>>>> User-Agent            Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0)
>>>> Gecko/20100101 Firefox/47.0
>>>>
>>>>
>>>> Cross-Origin Request Blocked: The Same Origin Policy disallows reading
>>>> the remote resource at https://1.2.3.4/. (Reason: CORS preflight
>>>> channel did not succeed).
>>>> ############################################################
>>>> ##############
>>>>
>>>>
>>>> I am beginning to believe that I am close to solving the issue (of
>>>> course all credit to tremendous help from this list).
>>>> I will be grateful for the last bit of help being received by the
>>>> really helpful experts here..
>>>>
>>>> Sorry again for the noise in my previous email.
>>>>
>>>>
>>>> Thanks and Regards,
>>>> Ajay
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx at nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>
>>>
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>>
>> --
>> Regards,
>> Ajay
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170414/870f2070/attachment-0001.html>


More information about the nginx mailing list