user3980196 user3980196 - 3 months ago 31
Apache Configuration Question

Issues with Header set Access-Control-Allow-Origin

I have the following in my .htaccess file:

Header set Access-Control-Allow-Origin: "*"

It works perfectly! But it is bad security practise.

When I change it to:

Header set Access-Control-Allow-Origin: "http://example.com"

I get the following error:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://example.com/oc/catalog/view/javascript/font-awesome/fonts/fontawesome-webfont.woff2?v=4.4.0. (Reason: CORS header 'Access-Control-Allow-Origin' does not match 'http://example.com').

How do I handle this?

Answer

From the live site:

Font from origin 'http://arvindint.com' has been blocked from loading by Cross-Origin Resource Sharing policy: The 'Access-Control-Allow-Origin' header has a value 'http://arvindint.com' that is not equal to the supplied origin. Origin 'http://www.arvindint.com' is therefore not allowed access.

From a comment from the OP:

Please note, I get this error when accessing the website through www.example.com instead of example.com

That is your problem.

If you give permission to example.com but not to www.example.com then you can't access it from www.example.com.

Permissions are on a per-origin basis, not on a per-second-level-domain basis.

Pick one of the two host names (with or without www) and stick to it. Redirect from one to the other. Don't host your site on two different host names. Doing so is more trouble than it is worth.