[FEAT] Support "wildcard-like" subdomain of a given origin
writyou opened this issue · comments
Can you support 'cors_allowed_origins' => 'https://.abc.com,',
"", that is, can any domain name under the domain be accessed?
@writyou Some considerations of this behavior:
| Origin | Configuration | Allowed |
| -------------------------------- | ---------------- | ------- |
| https://test.example.com | https://.abc.com | 0 |
| https://abc.com | https://.abc.com | ? |
| https://www.abc.com | https://.abc.com | 1 |
| https://test.abc.com | https://.abc.com | 1 |
| https://test.abc.com.example.com | https://.abc.com | 0 |
| http://test.example.com | https://.abc.com | 0 |
| http://abc.com | https://.abc.com | 0 |
| http://www.abc.com | https://.abc.com | 0 |
| http://test.abc.com | https://.abc.com | 0 |
| http://test.abc.com.example.com | https://.abc.com | 0 |
For the https://abc.com
what would you intend?
A list of strings representing regexes that match Origins that are authorized to make cross-site HTTP requests. Defaults to []. Useful when CORS_ALLOWED_ORIGINS is impractical, such as when you have a large number of subdomains.
Example:
CORS_ALLOWED_ORIGIN_REGEXES = [
r"^https://\w+.example.com$",
]
My usage scenario is multi-site, multi-language, and other language sites share all resources such as the main site static;
ex:
main website:https://www.enerart.com
others:
fr.enerart.com
de.enerart.com
.......
Now I have configured it in env.php, upgraded it, and cleared the cache at the same time, but other sites still report cross-domain errors, the URL is https://de.enerart.com
Please help to see how this should be configured to be more secure and accessible.
I think doing this saves network traffic and request speed, not sure if that is the case. grateful
@writyou if I understand you correctly, could you use:
<?php
return [
...
'system' => [
'default' => [
'web' => [
'graphql' => [
'cors_allowed_origins' => 'https://www.enerart.com, https://de.enerart.com, https://fr.enerart.com',
...
],
'api_rest' => [
'cors_allowed_origins' => 'https://www.enerart.com, https://de.enerart.com, https://fr.enerart.com',
...
]
]
]
]
...
];
Is this root issue that you find listing domains too tedious or that there are too many?
`'system' => [
'default' => [
'web' => [
'graphql' => [
'cors_allowed_origins' => 'https://www.enerart.com, https://fr.enerart.com, https://de.enerart.com, https://ru.enerart.com, https://jp.enerart.com, https://vn.enerart.com, https://kr.enerart.com, https://pl.enerart.com, https://in.enerart.com, https://hk.enerart.com, https://id.enerart.com, https://my.enerart.com, https://it.enerart.com, https://nl.enerart.com, https://pt.enerart.com, https://ar.enerart.com, https://af.enerart.com, https://th.enerart.com, https://mm.enerart.com, https://tl.enerart.com',
'cors_allowed_methods' => 'POST, OPTIONS',
'cors_allowed_headers' => 'accept,accept-encoding,authorization,content-type,dnt,origin,user-agent,x-csrftoken,x-requested-with',
'cors_max_age' => '86400',
'cors_allow_credentials' => 1
],
'api_rest' => [
'cors_allowed_origins' => 'https://www.enerart.com, https://fr.enerart.com, https://de.enerart.com, https://ru.enerart.com, https://jp.enerart.com, https://vn.enerart.com, https://kr.enerart.com, https://pl.enerart.com, https://in.enerart.com, https://hk.enerart.com, https://id.enerart.com, https://my.enerart.com, https://it.enerart.com, https://nl.enerart.com, https://pt.enerart.com, https://ar.enerart.com, https://af.enerart.com, https://th.enerart.com, https://mm.enerart.com, https://tl.enerart.com',
'cors_allowed_methods' => 'GET, POST, OPTIONS',
'cors_allowed_headers' => 'accept,accept-encoding,authorization,content-type,dnt,origin,user-agent,x-csrftoken,x-requested-with',
'cors_max_age' => '86400',
'cors_allow_credentials' => 1
]
]
]
],
At present, the configuration is like this, but it still reports an error, and after the page is opened, the js related content clicks on the Wu effect
de.enerart.com/:1 Access to XMLHttpRequest at 'https://www.enerart.com/static/version1662571235/frontend/Enerart/enerart/de_DE/Magento_Ui/templates/block-loader.html' from origin 'https://de.enerart.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
text.min.js:9 GET https://www.enerart.com/static/version1662571235/frontend/Enerart/enerart/de_DE/Magento_Ui/templates/block-loader.html net::ERR_FAILED`
At present, it needs to be configured in nginx.conf to fully take effect. The configuration is as follows. But is this "*" insecure, and can different permissions be done entirely in env.php?
` location ~* .(ico|jpg|jpeg|png|gif|svg|svgz|webp|avif|avifs|js|css|eot|ttf|otf|woff|woff2|html|json|webmanifest)$ {
add_header Cache-Control "public";
add_header X-Frame-Options "SAMEORIGIN";
add_header 'Access-Control-Allow-Origin' '*' 'always';
expires +1y;
if (!-f $request_filename) {
rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last;
}
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*' 'always';
add_header 'Access-Control-Allow-Headers' 'x-requested-with' 'always';
add_header 'Access-Control-Max-Age' 86400 'always';
add_header 'Content-Length' 0 'always';
return 204;
}
}`
@writyou it looks like you're trying to add CORS to static assets (not the REST or GraphQL) apis. This is outside the scope of this package.