You cannot use '*' in Access-Control-Allow-Origin
and use Access-Control-Allow-Credentials
at same time. And this is actually makes sense, but during development this dirty hack is useful (for apache2):
SetEnvIf Origin "^http(s)?://.*$" REQUEST_ORIGIN=$0
Header always set Access-Control-Allow-Origin %{REQUEST_ORIGIN}e env=REQUEST_ORIGIN
Header always set Access-Control-Allow-Credentials true
How it work in action (I'm using httpie instead of curl):
Example:
$ http -ph POST https://example.com/ Origin:https://google.com
HTTP/1.1 200 OK
Accept-Ranges: bytes
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://google.com
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 1039
Content-Type: text/html
Date: Thu, 12 Oct 2023 08:50:33 GMT
ETag: "9a1-6020521d58f80-gzip"
Keep-Alive: timeout=5, max=100
Last-Modified: Thu, 03 Aug 2023 13:55:26 GMT
Server: Apache/2.4.56 (Debian)
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: disabled
If you want it only for specific Origins:
SetEnvIf Origin "^https?://(example.com|www.example.com)$" GOODORIGIN=$0
Header set Access-Control-Allow-Origin %{GOODORIGIN}e env=GOODORIGIN
Header set Access-Control-Allow-Credentials "true" env=GOODORIGIN
Header merge Vary Origin
Top comments (0)