3

I have a simple AJAX request that calls http://myexamplefeed.com/feed/23213

I just moved this site to a new server, and all of a sudden I'm getting this error:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://myexamplefeed.com/feed/23213. (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘(null)’).

The thing is, in my .htaccess file I've tried to match *:

<IfModule mod_headers.c>
  Header set Access-Control-Allow-Origin: *
</IfModule>

and http://myexamplefeed.com:

<IfModule mod_headers.c>
  Header set Access-Control-Allow-Origin: "http://myexamplefeed.com"
</IfModule>

and I still get the CORS header ‘Access-Control-Allow-Origin’ does not match ‘(null)’ error.

Isn't null referring to the Header set Access-Control-Allow-Origin value, and shouldn't I be able to alter it in my .htaccess file?

UPDATE: That was in Firefox. In Chrome I'm getting this message:

The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
symlink
  • 11,984
  • 7
  • 29
  • 50
  • 1
    This guide may help. https://enable-cors.org/server_apache.html – Muhammad Saqlain Feb 20 '17 at 07:29
  • 2
    If you check the response headers I think you may find multiple `Access-Control-Allow-Origin` response headers are being sent in the response. You can test outside the browser using curl, like this: `curl -i -H "Origin: http://sitethiserrorisoccurringon.com" http://myexamplefeed.com/feed/23213` – sideshowbarker Feb 20 '17 at 08:50
  • 1
    The difference in the error messages is just because Chrome does a validation check on the Access-Control-Allow-Origin header value before it tries to use it, while Firefox currently doesn’t do any such check but instead just tries to do a literal match against the header value (which if it has multiple tokens is never going to match anything). – sideshowbarker Feb 20 '17 at 08:51
  • @sideshowbarker sure enough, two "Access-Control-Allow-Origin: *" response headers. The weird thing is, this is after the line was commented out of .htacess. Also, no sign of it in /etc/httpd/conf/httpd.conf! – symlink Feb 20 '17 at 08:59
  • @sideshowbarker FWIW, the duplicate response headers come after these: "X-Powered-By: PHP/5.4.16" and "X-Powered-By: PleskLin" – symlink Feb 20 '17 at 09:06
  • Yeah, I was gonna say the new server must be running something in addition to Apache. Plesk uses nginx in addition to Apache, so you want to look through the *.conf files in /etc/nginx/ for anything that’s setting the Access-Control-Allow-Origin header. And same for wherever the PHP config is. – sideshowbarker Feb 20 '17 at 09:10
  • @sideshowbarker I will check there. However, I should mention that I have several Plesk subscriptions running. Another site (site 2) on the server accepts the cross-origin request fine. I just located and turned off the headers module in a .conf file and the problem site started working while site 2 shut down. So I just need to locate the extra headers mod reference for the problem site, I think.. – symlink Feb 20 '17 at 09:18
  • @symlink Yeah that sounds like the productive troubleshooting route to pursue – sideshowbarker Feb 20 '17 at 09:21
  • @sideshowbarker it's really strange, since adding or removing Access-Control-Allow-Origin directives to .htaccess doesn't seem to affect anything. Always 2 response headers from the curl.. – symlink Feb 20 '17 at 09:30
  • As far as “adding or removing Access-Control-Allow-Origin directives to .htaccess doesn't seem to affect anything” maybe that’s because mod_headers isn’t enabled and you‘d need to do “a2enmod headers && apache2 -k graceful”. But if it is already enabled then yeah I dunno. – sideshowbarker Feb 20 '17 at 09:33
  • @symlink for `The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed` you might have two .htaccess in your api. for example one in example.com and the other in example.com/feed. that was the case for me. – Hamid Asghari Jul 03 '17 at 06:42

3 Answers3

3

Try with:

<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
Croises
  • 18,570
  • 4
  • 30
  • 47
1

I'm sorry but using multiple values on Access-Control-Allow-Origin is not permited. Either you use the wildcard "*" or use a single domain.

Another approach is to do a small script and change that value based on the origin of the request, comparing it against a list of posible domains.

Alberto S.
  • 1,805
  • 23
  • 39
1

This is a bit late but for those wanting to support multiple domains this is possible with a little extra config. I wouldn't suggest doing this beyond a handful of domains. This will working in Apache 2.4+

<IfModule mod_setenvif.c>
    SetEnvIfExpr "(tolower(req('Origin')) == 'https://prod.someschool.edu')" isProd
    SetEnvIfExpr "(tolower(req('Origin')) == 'https://dev.someschool.edu')" isDev

    <IfModule mod_headers.c>
        Header always set Access-Control-Allow-Origin "https://prod.someschool.edu" env=isProd
        Header always set Access-Control-Allow-Origin "https://dev.someschool.edu" env=isDev
    </IfModule>
</IfModule>
Josh Brule
  • 116
  • 4