Skip to content

serve the way w3c sez to do it #103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: gh-pages
Choose a base branch
from
Open

serve the way w3c sez to do it #103

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a5c9661
http://www.w3.org/TR/access-control/#resource-requests sez to do it t…
timball Jun 9, 2015
e3f6b63
fixed after feedback from @monsur
timball Jun 10, 2015
39a825f
yeah get rid of OPTIONS in because it's redundant
timball Jun 10, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 28 additions & 25 deletions server_nginx.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
<div class="container">
<section>
<h1>CORS on Nginx</h1>

<p>The following Nginx configuration enables CORS, with support
for preflight requests.</p>

Expand All @@ -15,36 +15,39 @@ <h1>CORS on Nginx</h1>
# Wide-open CORS config for nginx
#
location / {
# the dance you have to do because if's can't be nested in nginx
if ($http_origin) {
set $cors "${cors}Origin"
}
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
#
# Om nom nom cookies
#
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
#
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
#
# Tell client that this pre-flight info is valid for 20 days
#
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
set $cors "${cors}Options"
}
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
$cors = "${cors}Post"
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
$cors = "${cors}Get"
}

if ($cors = OriginOptions) {
add_header 'Access-Control-Allow-Origin' $http_origin;
# these are only needed on OPTIONS
add_header 'Access-Control-Allow-Credentials' 'true'; # technically only needed if doing credentials

# be sure to add any other headers needed eg. X-APIKEY, Cache-Control ...
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
add_header 'Access-Control-Allow-Methods' 'GET, POST';
add_header 'Content-Length' 0;
add_header 'Access-Control-Max-Age' 86400; # allow caching for a day
return 204;
}
if ($cors = OriginGet) {
add_header 'Access-Control-Allow-Origin' $http_origin;
add_header 'Access-Control-Allow-Credentials' 'true'; # technically only needed if doing credentials
}
if ($cors = OriginPost) {
add_header 'Access-Control-Allow-Origin' $http_origin;
add_header 'Access-Control-Allow-Credentials' 'true'; # technically only needed if doing credentials
}
}
</pre>
Expand Down