Jamo
August 16, 2022, 4:47pm
1
Hey there.
I’ve switched to Cockpit 2.2.1 and am currently working on my first project based on Cockpit v2.
Unfortunately, I get the following CORS error:
Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.
So far so classic… CORS doesn’t allow incoming requests from my host.config.php to this:
<?php
return [
'cors' => [
'allowedHeaders' => 'X-Requested-With, Content-Type, Origin, Cache-Control, Pragma, Authorization, Accept, Accept-Encoding, Cockpit-Token',
'allowedMethods' => 'PUT, POST, GET, OPTIONS, DELETE',
'allowedOrigins' => '*',
'maxAge' => '1000',
'allowCredentials' => 'true',
'exposedHeaders' => 'true',
]
];
Copied the config directly from the Docs .
Anyone else experiencing this?
Thanks in advance.
Jamo
August 16, 2022, 6:23pm
2
I wss abled to solve it myself by adding the following in my .htaccess:
<IfModule mod_headers.c>
Header always set Access-Control-Allow-Origin: "*"
Header always set Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"
Header always set Access-Control-Allow-Headers "*"
</IfModule>
It’s not a perfect solution because it bypasses Cockpits config.php, but at least it works.
artur
August 16, 2022, 8:35pm
3
CORS is handled here:
'site_url' => $app->retrieve('site_url'),
'base_url' => $APP_BASE_URL,
'base_route' => $APP_BASE_ROUTE
]);
// CORS handling
if (APP_API_REQUEST) {
$CORS_DEFAULTS = [
'Access-Control-Allow-Origin' => '*',
'Access-Control-Allow-Credentials' => 'true',
'Access-Control-Max-Age' => '1000',
'Access-Control-Allow-Headers' => 'X-Requested-With, Content-Type, Origin, Cache-Control, Pragma, Authorization, Accept, Accept-Encoding, API-KEY',
'Access-Control-Allow-Methods' => 'PUT, POST, GET, OPTIONS, DELETE',
'Access-Control-Expose-Headers' => ($app->retrieve('debug') ? '*' : 'false'),
];
$CORS_CONFIG = $app->retrieve('cors', []);
$app->on('before', function() use($CORS_DEFAULTS, $CORS_CONFIG) {
So the CORS headers are only sent on API requests (/api/*). Which route did you try to request?
Jamo
August 17, 2022, 5:24am
4
GET [HOST]/api/pages/sitemap
buzz
August 19, 2022, 5:12pm
5
Was there any other solution to this ? I’ve tried:
'cors' => [
'allowedHeaders' => 'X-Requested-With, Content-Type, Origin, Cache-Control, Pragma, Authorization, Accept, Accept-Encoding, Cockpit-Token',
'allowedMethods' => 'PUT, POST, GET, OPTIONS, DELETE',
'allowedOrigins' => '*',
'maxAge' => '1000',
'allowCredentials' => 'true',
'exposedHeaders' => 'true',
],
in config.php
As well as:
<IfModule mod_headers.c>
Header always set Access-Control-Allow-Origin: "*"
Header always set Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"
Header always set Access-Control-Allow-Headers "*"
</IfModule>
in my .htaccess file - still no luck
Also removed caching in my request:
headers: {
"Content-Type":"x-www-form-urlencoded",
'api-key': props.acctok,
'Cache-Control': 'no-cache',
'Pragma': 'no-cache',
'Expires': '0',
}
Jamo
August 20, 2022, 9:20am
6
I’ve noticed some collission issues when trying to set CORS policies in config.php as well as in .htaccess.‘cors’ => […] block from your config.php so cors gets handled by .htaccess only.
buzz
August 20, 2022, 12:42pm
7
Thanks @Jamo ,
I’ve tried this as well with no luck. Posting my entire .htaccess file below:
# Deny access to database + config files
<Files ~ "\.(sqlite|sdb|s3db|db|yaml|yml|env)$">
Require all denied
</Files>
<Files ".*">
Require all denied
</Files>
<Files "tower">
Require all denied
</Files>
<Files *.php>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Files>
<Files index.php>
Order Allow,Deny
Allow from all
</Files>
# Don't show directory listings
Options -Indexes
# Character encoding: Serve text/html or text/plain as UTF-8
AddDefaultCharset UTF-8
# URL rewrites
<IfModule mod_rewrite.c>
Options -MultiViews
RewriteEngine On
# RewriteBase /
# Protect some contents
RewriteRule ^.*/?\.git+ - [F,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* index.php [L]
</IfModule>
AddType application/javascript js jsonp tag
AddType application/json json
# Audio
AddType audio/ogg oga ogg
AddType audio/mp4 m4a f4a f4b
# Video
AddType video/ogg ogv
AddType video/mp4 mp4 m4v f4v f4p
AddType video/webm webm
AddType video/x-flv flv
# SVG
# Required for svg webfonts on iPad
# twitter.com/FontSquirrel/status/14855840545
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
# Webfonts
AddType application/vnd.ms-fontobject eot
AddType application/x-font-ttf ttf ttc
AddType font/opentype otf
AddType application/x-font-woff woff
# Assorted types
AddType image/x-icon ico
AddType image/webp webp
AddType text/cache-manifest appcache manifest
AddType text/x-component htc
AddType application/xml rss atom xml rdf
AddType text/x-vcard vcf
AddType application/x-shockwave-flash swf
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType application/pdf "access plus 1 year"
ExpiresByType application/x-shockwave-flash "access plus 1 year"
ExpiresByType image/bmp "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType image/svg+xml "access plus 1 year"
ExpiresByType image/tiff "access plus 1 year"
ExpiresByType image/vnd.microsoft.icon "access plus 1 year"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresByType text/css "access plus 1 year"
ExpiresByType video/x-flv "access plus 1 year"
ExpiresByType application/vnd.bw-fontobject "access plus 1 year"
ExpiresByType application/x-font-ttf "access plus 1 year"
ExpiresByType application/x-font-woff "access plus 1 year"
ExpiresByType application/font-woff "access plus 1 year"
ExpiresByType font/opentype "access plus 1 year"
ExpiresByType image/webp "access plus 1 year"
# The following MIME types are in the process of registration
ExpiresByType application/xslt+xml "access plus 1 year"
ExpiresByType image/svg+xml "access plus 1 year"
# The following MIME types are NOT registered
ExpiresByType application/mathml+xml "access plus 1 year"
ExpiresByType application/rss+xml "access plus 1 year"
# JavaScript has various MIME types
ExpiresByType application/x-javascript "access plus 1 year"
ExpiresByType application/javascript "access plus 1 year"
ExpiresByType text/ecmascript "access plus 1 year"
ExpiresByType text/javascript "access plus 1 year"
</IfModule>
# -------------------------------------------------------------------------
# Disabling ETags as they are most likely misconfigured and
# do not add functionalit beyond Last-Modified
# -------------------------------------------------------------------------
<IfModule mod_headers.c>
# Try removing etag headers (if it's coming from proxy for example)
Header always set Access-Control-Allow-Origin: "*"
Header always set Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"
Header always set Access-Control-Allow-Headers "*"
# Header unset ETag
</IfModule>
<IfModule mod_deflate.c>
# Force deflate for mangled headers developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping/
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
</IfModule>
</IfModule>
# Compress all output labeled with one of the following MIME-types
# (for Apache versions below 2.3.7, you don't need to enable `mod_filter`
# and can remove the `<IfModule mod_filter.c>` and `</IfModule>` lines as
# `AddOutputFilterByType` is still in the core directives)
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE application/atom+xml \
application/javascript \
application/json \
application/rss+xml \
application/vnd.ms-fontobject \
application/x-font-ttf \
application/xhtml+xml \
application/xml \
font/opentype \
image/svg+xml \
image/x-icon \
text/css \
text/html \
text/plain \
text/x-component \
text/xml
</IfModule>
</IfModule>
# Remove ETags
FileETag None
# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php81” package as the default “PHP” programming language.
<IfModule mime_module>
AddHandler application/x-httpd-ea-php81 .php .php8 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
Jamo
August 22, 2022, 9:06am
8
Small but vital mistake made.
buzz:
<IfModule mod_headers.c>
# Try removing etag headers (if it's coming from proxy for example)
Header always set Access-Control-Allow-Origin: "*"
Header always set Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"
Header always set Access-Control-Allow-Headers "*"
# Header unset ETag
</IfModule>
See the colons at the end of the first two header lines? Those are wrong..htaccess to
<IfModule mod_headers.c>
# Try removing etag headers (if it's coming from proxy for example)
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "GET,POST,OPTIONS,DELETE,PUT"
Header always set Access-Control-Allow-Headers "*"
# Header unset ETag
</IfModule>
(no colons)
That should fix it.
2 Likes
Yes, this worked for me. I remove everything ‘cors’ from config.php
if you use config/config.php it does affect GETs etc, but not OPTIONS, which means preflight fails
artur
August 22, 2022, 9:20pm
10
Is your server behind a proxy? I can’t replicate the issue
Might be proxying through nginx.
https://jphtmx.feeed.com/ moment I have it working with a .htaccess at the www root
buzz
August 24, 2022, 4:34pm
12
Thank you! This did the trick!
