httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Valerio Pachera <>
Subject [users@httpd] CORS (Cross Origin Resource Sharing) server side configuration
Date Fri, 20 Apr 2018 08:16:48 GMT
Good Morning, I'm looking for documentation about setting CORS headers in
The problem is that I need to handle a cors request and be sure I set all
the necessasary header in apache.
Right now I het error 401.
*Most of all, I can't find good server side documentation on how to handle
CORS request!*
May you please write a link if that documentation exists?
is the most complete topic I found but it sounds alchemic.
Ok, here we go with details:

*This is the ajax CORS request:*

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;"GET", " ");
console.log('open x');
xhr.setRequestHeader("content-type", "application/txt");
xhr.setRequestHeader("authorization", "Basic 3j893njd83jneu32");

*The apache server configration related to cors is this:*

<VirtualHost *:443>
Header set Access-Control-Allow-Origin ''
Header set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header set Access-Control-Allow-Credentials "true"
Header set Access-Control-Allow-Headers "x-requested-with, content-type,
origin, authorization, accept, client-security-token, basic, origin"
(Notice I added 'basic, origin' but I don't know if they are valid heasers.
Nothing change if I remove them).

*After sending the request, in the browser console I get the error:*

Failed to load
Response for preflight has invalid HTTP status code 401.

*Here are more client side details:*

<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="">
  <s:message>*No 'Authorization: Basic' header found*. Either the client
didn't send one, *or the server is misconfigured*</s:message>

Request URL: z
Request Method: OPTIONS
Status Code: 401 Unauthorized
Remote Address:
Referrer Policy: no-referrer-when-downgrade

Response header
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: x-requested-with, content-type, origin,
authorization, accept, client-security-token, basic, origin
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT

Request header
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
Access-Control-Request-Headers: authorization,content-type
Access-Control-Request-Method: GET
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

*Server detail*

Ubuntu 16.0.4
Apache 2.4.18

Any suggestion is wellcome.

Thank you.

View raw message