0

I have a page served by HTTP. Client code sends AJAX-requests for authorization to the same domain, but on HTTPS. (so it is CORS).

FireFox generates this request: // domains and cookies are changed

OPTIONS /auth/registration/json/info/ HTTP/1.1
Host: my-site.dev
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-ru,pl;q=0.8,ru;q=0.6,en-us;q=0.4,en;q=0.2
Accept-Encoding: gzip, deflate
Origin: http://my-site.dev
Access-Control-Request-Method: GET
Access-Control-Request-Headers: x-requested-with
Connection: keep-alive

And my server responds:

HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Thu, 07 Nov 2013 09:55:55 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: https://my-site.dev
Vary: Cookie
Access-Control-Allow-Origin: http://my-site.dev
Access-Control-Allow-Methods: OPTIONS, GET
Set-Cookie: csrftoken=foobar; expires=Thu, 06-Nov-2014 09:55:55 GMT; Max-Age=31449600; Path=/

0

FireBug shows that OPTIONS request succeeded, but does not fire GET request after it:

enter image description here

What is wrong in my response?

Qantas 94 Heavy
  • 15,750
  • 31
  • 68
  • 83
Vladimir Lagunov
  • 1,895
  • 15
  • 15
  • I'm just speculating as there isn't any code to reproduce this, but it's possible that having duplicate headers, you're in effect allowing more than one domain, which nullifies both of them (only one is permitted). `Access-Control-Allow-Origin: https://my-site.dev`, then later `Access-Control-Allow-Origin: http://my-site.dev` – Qantas 94 Heavy Nov 07 '13 at 12:01
  • I tried to combine domains in one header, joining either by comma or by space. Same result. – Vladimir Lagunov Nov 08 '13 at 01:42
  • 1
    The point is that you can't have multiple domains for CORS, as far as I know. You'd need to change the headers server-side each time one of them requests for it. – Qantas 94 Heavy Nov 08 '13 at 01:42

1 Answers1

0

Qantas 94 Heavy, you're right. There should be only one Access-Control-Allow-Origin header with only one domain: domain, that specified in Origin request header.

This is right answer that firefox accepts:

HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Thu, 07 Nov 2013 09:55:55 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Cookie
Access-Control-Allow-Origin: http://my-site.dev      // The same as `Origin`
Access-Control-Allow-Methods: OPTIONS, GET
Set-Cookie: csrftoken=foobar; expires=Thu, 06-Nov-2014 09:55:55 GMT; Max-Age=31449600; Path=/

0
Vladimir Lagunov
  • 1,895
  • 15
  • 15