9

With nginx can I specify Access-Control-Allow-Origin using a wildcard like *.mydomain.com?

Would it look like:

add_header Access-Control-Allow-Origin *.mydomain.com;

Thanks.

Justin
  • 5,328
  • 19
  • 64
  • 84

3 Answers3

11

you have to do it with an if condition

location /  {
  set $cors "";
  if ($http_origin ~* (\.mydomain\.com|\.myseconddomain\.com)$) {
      set $cors "true";
  }

  proxy_pass http://backend:10005/apathifyouwantso/;

  if ($cors = "true") {
    add_header 'Access-Control-Allow-Origin' "$http_origin";
    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE, PUT';
    add_header 'Access-Control-Allow-Credentials' 'true';
    add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-Alive,Content-Type';
  }
}
Demindiro
  • 103
  • 3
schmichri
  • 387
  • 2
  • 10
4

Setting "Access-Control-Allow-Origin" based on conditions in nginx is very dangerous and you should be careful. The answer above is opening a security vulnerability.

if ($http_origin ~* (\.mydomain\.com|\.myseconddomain\.com))

This line will match something.mydomain.com and also something.mydomain.com.anyotherdomain.com (A domain anyone can create)

Doing this, will allow the following scenario:

  1. A banner makes users open something.mydomain.com.anyotherdomain.com
  2. Which makes requests to your site using fetch.
  3. Fetch, can include credentials, which means your user cookies.
  4. So the attacker can make requests to your server authenticated as that user. (Ex: send messages, emails, etc)

And all of that, because the regular expression is missing one '$' at the end.

if ($http_origin ~* (\.mydomain\.com|\.myseconddomain\.com)$)

Thats not the only way you can make that particular regexp bad, thats why I am explaining the problem, rather than just adding $ in the previous answer

Vts
  • 41
  • 1
  • should this be a comment to [this answer](https://serverfault.com/a/829402/) rather than an answer to this post? – mforsetti Aug 06 '20 at 16:50
  • @mforsetti sadly it's too long for a comment, but he could incorporate the other answer inside his to make it a complete answer. – yagmoth555 Aug 06 '20 at 17:28
  • @yagmoth555 yeah, I guess that's also possible; remembering that you need 50 reps to make a comment. – mforsetti Aug 06 '20 at 17:49
  • 1
    I have 1 rep point, so I can't edit the answer. Perhaps someone else will – Vts Aug 07 '20 at 09:44
2

You sure can. I use the following directive to support some of our cross domain fonts:

  add_header Access-Control-Allow-Origin *;
Stephan
  • 999
  • 7
  • 11
  • 6
    No I don't want wildcard for everything, but only anything.mydomain.com. I have a SaaS and each signup get's their own subdomain (user.mydomain.com). Also, I am testing and put `add_header Access-Control-Allow-Origin http://google.com;` for testing, and assumed requests would fail, but surprisingly they still work. Any idea why? They should fail right? – Justin Feb 05 '13 at 20:13
  • Ah, I understand. Yes, you can use globs, though I can't say for certain why requests aren't failing like they should. The very long answer on how to use Access-Control is here: http://www.w3.org/TR/2008/WD-access-control-20080912/ – Stephan Feb 05 '13 at 20:18
  • 2
    Actually further research, shows that `Access-Control-Allow-Origin` only supports `*` and a full host, i.e. wildcard domains are **NOT** supported. However still not sure why requests are working when I set: `add_header Access-Control-Allow-Origin https://google.com;` – Justin Feb 05 '13 at 20:24
  • Ah, seems I learned something as well then! – Stephan Feb 05 '13 at 20:27