How to allow origin header for multiple sites?

General
1

Actually, I’m not familiar with .yaml extension.
I tried to add the config as below

cors:
allowedOrigins: - https://domainone.com
                - https://domaintwo.com

But it’s showing the error like this

The 'Access-Control-Allow-Origin' header contains the invalid value 'Array'.

1 Like
2

That will not work, you can specify in the configuration only one entry. If you check the index.php:

    $_cors = $cockpit->retrieve('config/cors', []);

    header('Access-Control-Allow-Origin: '      .($_cors['allowedOrigins'] ?? '*'));

so unless @artur accept a change for that (and not sure if that make sense), you may need to deal with it in the webserver, check for a solution here: https://stackoverflow.com/a/11077890

3

please consider using config.php instead of config.yaml:

<?php

return [

  'cors' => [

    'allowedOrigins' => in_array($_SERVER['HTTP_ORIGIN'], ['https://domainone.com', 'https://domaintwo.com']) 
                        ? $_SERVER['HTTP_ORIGIN'] : 'https://domainone.com'
  ]

];

if you use the php based configuration, then you’re more flexible (eg using env variables for dynamic config)

1 Like
4

Thanks @pauloamgomes and @artur I comment off the Access-Control-Allow-Origin and Access-Control-Allow-Methods lines in index.php and add in .htaccess as below.

<IfModule mod_headers.c>
    SetEnvIf Origin "http(s)?://(domainone.com|domaintwo.com$" AccessControlAllowOrigin=$0
    Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    Header always set Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"
</IfModule>

It’s working now. Thanks

5

Hello,

I am running into this same issue. I am using cockpit within docker, my issue is I am getting CORS errors on imagery I link to in the cockpit stored assets.

I get the error in Chrome browser: Access to image at 'https://cockpit.example.com/storage/uploads/2022/02/25/image.png' from origin 'https://example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I noticed in cockpit in index.php:30 (if (COCKPIT_API_REQUEST)) the CORS settings are only applying to API requests.

Is there any way to set multiple origins for file assets?

Thank you.