Ad

Shared Hosting Triggering CORS With Same Domain And Port

A have been struggling for the last couple of days with CORS, specifically preflight requests in a non-CORS setup. I'm sending a request from a SPA app via axios (domain.com:80) to a rest API (domain.com:80/api) and its getting classified as a CORS request. Locally, with the same setup, requests are fine, not triggering preflight ones.

In my research a same origin request must have:

  • same domain
  • same subdomain
  • same port
  • same protocol

I think my production environment checks all of the above but something says the opposite.

My environment is hosted in a shared-host provider in the following maner:

SPA (Vue) - http:/domain:80/company-name/
API (Laravel) - http:/domain:80/company-name/api

I have already tried:

  • Clonning the environment locally (Works fine - does not send preflight requests)
  • Enable / Disable Access-Control-Allow-Headers
  • To be honest i don't even know what to try next :|

Solving this problem will make my app 100% faster so is kind of a big deal for me. But it simply doesn't make sense. Maybe i'm missing something obvious.

Maybe could be some proxy related thing that my shared-hosting provider is doing. But even than i wouldn't know how to check that.

Preflight Request Example (From network tab in Dev Tools):

General
Request URL: http:/domain/company-name/api/perfil/3
Request Method: OPTIONS
Status Code: 200 OK
Remote Address: 185.200.153.100:80
Referrer Policy: no-referrer-when-downgrade

Response Headers
Access-Control-Allow-Headers: AUTHORIZATION
Access-Control-Allow-Methods: GET
Access-Control-Allow-Origin: http:/domain
Access-Control-Max-Age: 25200
Cache-Control: no-cache, private
Connection: close
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Date: Sat, 27 Apr 2019 18:28:40 GMT
Server: Apache

Request Headers
Provisional headers are shown
Access-Control-Request-Headers: authorization
Access-Control-Request-Method: GET
Origin: http:/domain
Referer: http:/domain/company-name/perfis
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36

Request Example (Right after preflight response):

General
Request URL: http:/domain/company-name/api/perfil/3
Request Method: GET
Status Code: 200 OK
Remote Address: 185.200.153.100:80
Referrer Policy: no-referrer-when-downgrade

Response Headers
Accept-Ranges: bytes
Access-Control-Allow-Origin: http:/domain
Access-Control-Expose-Headers: *
Age: 0
Cache-Control: no-cache, private
Connection: keep-alive
Content-Type: application/json
Date: Sat, 27 Apr 2019 18:28:41 GMT
Server: Apache
Transfer-Encoding: chunked
Vary: Origin,Authorization
Via: 1.1 varnish-v4
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 58
X-Varnish: 46418125

Request Headers
Accept: application/json, text/plain, /
Authorization: Bearer {token}
Origin: http:/domain
Referer: http:/domain/company-name/perfis
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36

domain/.htaccess

<IfModule mod_rewrite.c>

  RewriteEngine On
  RewriteBase /
  RewriteRule ^(api)($|/) - [L]
  RewriteRule ^index\.html$ - [L]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /index.html [L]
</IfModule>

<IfModule mod_headers.c>
  <FilesMatch "\.(ttf|ttc|otf|eot|woff|font.css|css|woff2)$">
    Header set Access-Control-Allow-Origin "*"
  </FilesMatch>
</IfModule>

domain/api/.htaccess

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews -Indexes
    </IfModule>

    RewriteEngine On

    # Handle Authorization Header
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]

    # Handle Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
</IfModule>

If any other data is needed feel free to ask.

Ad

Answer

Maybe i'm missing something obvious.

Yep.

In the SPA i was fetching domain/api when indeed www.domain/api was the rigth one. Making the origin URL match the request URL, as explained by @sideshowbarker

As far as checking the URLs, the 'domain' part must be exactly the same. So for example 'api.domain.com' and 'www.domain.com' are two different origins. The headers you copied from the Network tab show 'Origin: http:/domain' and 'http:/domain/company-name/api/perfil/3'. So what I am telling you is that the origin of whatever the real 'http:/domain/company-name/api/perfil/3' URL actually is does not exactly match whatever 'Origin: http:/domain' actually is. Either the 'domain' part is not exactly the same, or they are not both 'http' or both 'https', or there is some port number you elided.

Ad
source: stackoverflow.com
Ad