2

I have 10 sub domains and getting all static files from a sub domain (static.88n8.com).

I want to allow cross origin for all sub domains in .htaccess with this:

SetEnvIf Origin "^http(s):\/\/(www\.google.com|google\.com|88n8\.com|second\.88n8\.com|third\.88n8\.com|fourth\.88n8\.com)$" OriginDomainStr=$0
Header add Access-Control-Allow-Origin %{OriginDomainStr}e env=OriginDomainStr

Or this one:

SetEnvIf Origin "^http(s):\/\/(www\.google.com|google\.com|88n8\.com|second\.88n8\.com|third\.88n8\.com|fourth\.88n8\.com)$" OriginDomainStr=$0
Header set Access-Control-Allow-Origin %{OriginDomainStr}e env=OriginDomainStr

Or this one:

SetEnvIf Origin "^http(s):\/\/(www\.google.com|google\.com|88n8\.com|second\.88n8\.com|third\.88n8\.com|fourth\.88n8\.com)$" OriginDomainStr=$0
Header always set Access-Control-Allow-Origin %{OriginDomainStr}e env=OriginDomainStr

And console showing me:

Access to font at 'https://static.88n8.com/font.woff' from origin 'https://88n8.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Which is very weird. That regex should match but seems it doesn't match at all.

I tried this one to check if I can set the header and it worked for main domain:

<IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "https://88n8.com"
</IfModule>

I don't want to use * or single domain. Why my regex never match in .htaccess? Seems my Regex test is OK.

Disclaimer: 88n8.com is an example to show my domain is including numbers and English characters in it. It's not my real domain and I don't own that.

Edit 1

As you can see in my REGEX, it should be applied to all 88n8.com sub domains and google.com (with https or http). I have only included 4 sub domains in my REGEX to show you my REGEX.

Edit 2

I've added this code to my PHP pages to know current Origin:

echo (isset($_SERVER['HTTP_ORIGIN']))? $_SERVER['HTTP_ORIGIN'] : 'NOT SET';

and the result is NOT SET. Seems my Origin is empty or NULL and That's the reason REGEX never match.

Edit 3

I've checked the server IP with IP2Proxy. This is the Proxy Detection Result:

Proxy Detection Result

Edit 4

I've tried to select anything but still no chance with these two REGEX:

SetEnvIf Origin "." OriginDomainStr=$0
Header add Access-Control-Allow-Origin %{OriginDomainStr}e env=OriginDomainStr

SetEnvIf Origin "^(?![\s\S])" OriginDomainStr=$0
Header add Access-Control-Allow-Origin %{OriginDomainStr}e env=OriginDomainStr

How can I see the value of Origin directly?

ICE
  • 1,667
  • 2
  • 21
  • 43

1 Answers1

2

You're accessing from static subdomain. It's not on the regex of approved subdomains.

Also it won't match http because of (s). To make it optional change http(s) to https? (it makes the s optional). This should also solve everything else because as you're creating a match group with (s), your $0 variable will be s and not the domain you wanted.

I'd also suggest combining the subdomains.

^https?:\/\/((www\.)?google\.com|(first|second|third|fourth|static)\.88n8\.com)$

All subdomains and main domain from both 88n8.com and google.com

^https?:\/\/((www\.)?google\.com|(.+\.)?88n8\.com)$

WoLfulus
  • 1,948
  • 1
  • 14
  • 21
  • 1
    Are you behind a proxy that maybe is removing the Origin header? – WoLfulus Jun 02 '19 at 03:28
  • Oh, I see there are two groups in the regex. Try changing `http(s)` to `https?`. I'll update the answer as I think this is the case. – WoLfulus Jun 02 '19 at 14:41
  • 1
    only `.` doesn't set a match group, try `(.*)` instead and see what happens – WoLfulus Jun 02 '19 at 22:59
  • Didn't work. I gave up! Will use `Header set Access-Control-Allow-Origin "*"` for font files which is not good to do that. But it's the only option. Thanks for your time. – ICE Jun 02 '19 at 23:08