1

I was trying to whittle down the cases where the Access-Control-Allow-Origin is sent in a response to only some specific scenarios such as only for specific request methods. In this situation we already included the response header on all requests for a specific directory but then after adding the If condition below it no longer seems to work.

<Directory "/var/www/myapp">
<If "%{REQUEST_METHOD} == 'HEAD'"> 
  Header set Access-Control-Allow-Origin 'https://some.example.com'
</If>
</Directory>

What's more is that I have also tried to debug this through various means and from what I can tell the %{REQUEST_METHOD} variable is not being resolved correctly. Here are the tests that I've done to determine this so far.

No condition includes the header as expected.

<Directory "/var/www/myapp">
  Header set Access-Control-Allow-Origin 'https://some.example.com'
</Directory>

Condition which should always be true, includes the header as expected.

<Directory "/var/www/myapp">
<If "'HEAD' == 'HEAD'"> 
  Header set Access-Control-Allow-Origin 'https://some.example.com'
</If>
</Directory>

Add a header to echo the value resolved by %{REQUEST_METHOD} seems to break Apache, response comes back with no headers looks like an error in handling.

<Directory "/var/www/myapp">
  Header set X-Method "%{REQUEST_METHOD}"
  Header set Access-Control-Allow-Origin 'https://some.example.com'
</Directory>

I can't help to think that I must have some syntax wrong but I've checked things over several times and nothing sticks out to me.

jpierson
  • 241
  • 2
  • 8
  • The syntax seems fine as you wrote it in first code sample. I think that REQUEST_METHOD is not equal with HEAD. check that cases is matching. Try also with regex matching. Increase `LogLevel` - see httpd.apache.org/docs/2.4/mod/mod_rewrite.html#logging and test with `curl` – Mircea Vutcovici Aug 19 '22 at 20:15
  • That was my thought too @MirceaVutcovici, I tried ` ` as well as the debug case with `X-Method` to see if it was a casing issue but neither of these seemed to support a case mismatch scenario. Instead it seems to me the best I can tell that %{REQUEST_METHOD} just isn't resolving in some cases or that I'm somehow getting the syntax wrong. Oddly enough in my workaround in `RewriteCond` it seems to work just fine . – jpierson Aug 19 '22 at 20:27
  • Have you tried also increasing the `LogLevel`? I was just curious what is happening. – Mircea Vutcovici Aug 20 '22 at 03:41
  • I have not yet, as the nature of workarounds go, I was able to get past this issue as a blocker and haven't had the chance to circle back. I'll try the `LogLevel` next time though, but I'm not that familiar with Apache logs and troubleshooting in general so it may take me a bit to get familiar in general to know that I'm looking in the right place. – jpierson Sep 01 '22 at 15:40

1 Answers1

1

I've found a workaround which appears to be working for me so far but I still want to understand why my original attempt using If conditionals didn't work. To me the workaround below is less readable than my original attempt.

<Directory "/var/www/myapp">
  RewriteCond %{REQUEST_METHOD} 'HEAD'
  RewriteRule ^ - [ENV=cors:true]
  Header set Access-Control-Allow-Origin 'https://some.example.com' env=cors
</Directory>

Shout out to the following references which helped me discover this workaround:

jpierson
  • 241
  • 2
  • 8