DO NOT CHECK – SHOW CORS ERRORS IN CONSOLE
https://davidtruxall.com/misleading-cors-errors/
As another alternative, I could even start an instance of Chrome without the CORS protections enabled using the terminal on my Mac :
open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_test" --disable-web-security
This also worked and I could now see the 503 error in the Chrome developer console. I do not like to develop using Chrome with security disabled because it ultimately hides issues like CORS which can occur as legitimate errors. But it’s a good tool for troubleshooting.
Perhaps we could fix the problem by configuring the reverse proxy to add the missing Access-Control-Allow-Origin in the case of 5xx HTTP responses? Or maybe configure the reverse proxy to add the CORS-related headers all the time instead of the underlying application? I’m not sure, finding information about this situation has been difficult.
The bottom line is this: If you see a CORS error when there were none previously and believe CORS is configured correctly on the back end, use some other tool to ensure you are troubleshooting the correct error.
https://ubiq.co/tech-blog/enable-cors-apache-web-server/
How to Enable CORS in Apache Web Server
By default, cross domain requests are disabled in Apache web server. You need to set the Access-Control-Allow-Origin header to enable CORS (Cross Origin Resource Sharing) in Apache. Here are the steps to enable CORS in Apache web server.
How to Enable CORS in Apache Web Server
Here’s how to enable CORS in Apache
1. Enable headers module
You need to enable headers module to enable CORS in Apache.
Ubuntu/Debian
In ubuntu/debian linux, open terminal & run the following command to enable headers module.
$ sudo a2enmod headers
CentOS/Redhat/Fedora
In CentOS/Redhat/Fedora linux, open the Apache configuration file httpd.conf and uncomment the following line by removing # in front of them.
LoadModule headers_module modules/mod_headers.so
Bonus Read : How to List All Virtual Hosts in Apache
2. Enable CORS in Apache
Next, add the “Header add Access-Control-Allow-Origin *” directive to either your Apache config file, or .htaccess file, or Virtual Host configuration file, depending on your requirement. If you add it to your main configuration file, CORS will be enabled to all websites on your server. If you add it to .htaccess file or virtual host configuration file, then it will be enabled for only that file’s website. Here are examples of how to add this directive in different files. You can use any one of them.
Directory Tag in Main Configuration File
<Directory /var/www/html>
...
Header set Access-Control-Allow-Origin "*"
...
</Directory>
Anywhere in .htaccess file
...
Header add Access-Control-Allow-Origin "*"
...
VirtualHost Tag in Virtual Host Configuration File
<VirtualHost *:443>
...
Header add Access-Control-Allow-Origin "*"
...
</VirtualHost>
Bonus Read : How to Enable TLS 1.3 in Apache
There are different configurations available to enable CORS in Apache.
Enable CORS from all websites
If you want to enable CORS for all websites, that is, accept cross domain requests from all websites, add the following
Header add Access-Control-Allow-Origin *;
In the above statement, we use wildcard (*) for Apache Access-Control-Allow-Origin directive
Enable CORS from one domain
If you want to enable CORS for one website domain (e.g example.com), specify that domain in place of wildcard character *.
Header add Access-Control-Allow-Origin "example.com";
Enable CORS from multiple domains
If you want to enable CORS for multiple domains (e.g example1.com, example2.com,example3.com), specify them separately one after another
Header add Access-Control-Allow-Origin "example1.com";
Header add Access-Control-Allow-Origin "example2.com";
Header add Access-Control-Allow-Origin "example3.com";
Enable CORS from localhost
If you want to enable CORS from localhost, add 127.0.0.1 or localhost in place of domain name
Header add Access-Control-Allow-Origin "localhost";
Bonus Read : How to Install Varnish in Ubuntu
3. Restart Apache Server
Restart Apache web server to apply changes
-------------- On Debian/Ubuntu --------------
# apache2 -t
# systemctl restart apache2.service
-------------- On RHEL/CentOS/Fedora --------------
# httpd -t
# systemctl restart httpd.service
You can use free online tools like Test CORS to test if your website accepts CORS.
That’s it! Hopefully the above tutorial will help you enable CORS in Apache.
Ubiq makes it easy to visualize data in minutes, and monitor in real-time dashboards. Try it today!
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)
Cross-Origin Resource Policy (CORP)
Cross-Origin Resource Policy is a policy set by the Cross-Origin-Resource-Policy HTTP header that lets web sites and applications opt in to protection against certain requests from other origins (such as those issued with elements like <script> and <img>), to mitigate speculative side-channel attacks, like Spectre, as well as Cross-Site Script Inclusion attacks.
CORP is an additional layer of protection beyond the default same-origin policy. Cross-Origin Resource Policy complements Cross-Origin Read Blocking (CORB), which is a mechanism to prevent some cross-origin reads by default.
Note: The policy is only effective for no-cors requests, which are issued by default for CORS-safelisted methods/headers.
As this policy is expressed via a response header, the actual request is not prevented—rather, the browser prevents the result from being leaked by stripping the response body.
Usage
Note: Due to a bug in Chrome, setting Cross-Origin-Resource-Policy can break PDF rendering, preventing visitors from being able to read past the first page of some PDFs. Exercise caution using this header in a production environment.
Web applications set a Cross-Origin Resource Policy via the Cross-Origin-Resource-Policy HTTP response header, which accepts one of three values:
same-siteOnly requests from the same Site can read the resource. Warning: This is less secure than an origin. The algorithm for checking if two origins are same site is defined in the HTML standard and involves checking the registrable domain.
same-originOnly requests from the same origin (i.e. scheme + host + port) can read the resource.
cross-originRequests from any origin (both same-site and cross-site) can read the resource. This is useful when COEP is used (see below).
Cross-Origin-Resource-Policy: same-site | same-origin | cross-origin
During a cross-origin resource policy check, if the header is set, the browser will deny no-cors requests issued from a different origin/site.
Relationship to cross-origin embedder policy (COEP)
The Cross-Origin-Embedder-Policy HTTP response header, when used upon a document, can be used to require subresources to either be same-origin with the document, or come with a Cross-Origin-Resource-Policy HTTP response header to indicate they are okay with being embedded. This is why the cross-origin value exists.
History
The concept was originally proposed in 2012 (as From-Origin), but resurrected in Q2 of 2018 and implemented in Safari and Chromium.
In early 2018, two side-channel hardware vulnerabilities known as Meltdown and Spectre were disclosed. These vulnerabilities allowed sensitive data disclosure due to a race condition which arose as part of speculative execution functionality, designed to improve performance.
In response, Chromium shipped Cross-Origin Read Blocking, which automatically protects certain resources (of Content-Type HTML, JSON and XML) against cross-origin reads. If the application does not serve a no-sniff directive, Chromium will attempt to guess the Content-Type and apply the protection anyway.
Cross-Origin-Resource-Policy is an opt-in response header which can protect any resource; there is no need for browsers to sniff MIME types.
Specifications
| Specification | Status | Comment |
|---|---|---|
| Fetch | Living Standard | Initial definition |
Browser compatibility
Report problems with this compatibility data on GitHub
| desktop | mobile | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Chrome | Edge | Firefox | Internet Explorer | Opera | Safari | WebView Android | Chrome Android | Firefox for Android | Opera Android | Safari on iOS | Samsung Internet | |
Cross-Origin-Resource-Policy | 73 |
Legend
See also
Cross-Origin-Resource-PolicyHTTP Header
Found a problem with this page?
- Edit on GitHub
- Source on GitHub
- Report a problem with this content on GitHub
- Want to fix the problem yourself? See our Contribution guide.
Last modified: Mar 1, 2022, by MDN contributors