Config.php not affecting CORS settings in Cockpit V2(.2.1)

Hey there.

I’ve switched to Cockpit 2.2.1 and am currently working on my first project based on Cockpit v2.

Unfortunately, I get the following CORS error:

Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

So far so classic… CORS doesn’t allow incoming requests from my host.
So I´ve edited my, up until that point empty, config.php to this:

<?php

  return [

    'cors' => [
        'allowedHeaders' => 'X-Requested-With, Content-Type, Origin, Cache-Control, Pragma, Authorization, Accept, Accept-Encoding, Cockpit-Token',
        'allowedMethods' => 'PUT, POST, GET, OPTIONS, DELETE',
        'allowedOrigins' => '*',
        'maxAge' => '1000',
        'allowCredentials' => 'true',
        'exposedHeaders' => 'true',
      ]
  
  ];

Copied the config directly from the Docs.
But the CORS error still exists.

Anyone else experiencing this?

Thanks in advance.

I wss abled to solve it myself by adding the following in my .htaccess:

<IfModule mod_headers.c>
    Header always set Access-Control-Allow-Origin: "*"
    Header always set Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"
    Header always set Access-Control-Allow-Headers "*"
</IfModule>

It’s not a perfect solution because it bypasses Cockpits config.php, but at least it works.

CORS is handled here:

So the CORS headers are only sent on API requests (/api/*). Which route did you try to request?

GET [HOST]/api/pages/sitemap

Was there any other solution to this ? I’ve tried:

 'cors' => [
      'allowedHeaders' => 'X-Requested-With, Content-Type, Origin, Cache-Control, Pragma, Authorization, Accept, Accept-Encoding, Cockpit-Token',
      'allowedMethods' => 'PUT, POST, GET, OPTIONS, DELETE',
      'allowedOrigins' => '*',
      'maxAge' => '1000',
      'allowCredentials' => 'true',
      'exposedHeaders' => 'true',
    ],

in config.php

As well as:

<IfModule mod_headers.c>
    Header always set Access-Control-Allow-Origin: "*"
    Header always set Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"
    Header always set Access-Control-Allow-Headers "*"
</IfModule>

in my .htaccess file - still no luck

Also removed caching in my request:

headers: {
                "Content-Type":"x-www-form-urlencoded",
                'api-key': props.acctok,
                'Cache-Control': 'no-cache',
                'Pragma': 'no-cache',
                'Expires': '0',
            }

I’ve noticed some collission issues when trying to set CORS policies in config.php as well as in .htaccess.
Try removing the entire ‘cors’ => […] block from your config.php so cors gets handled by .htaccess only.

Thanks @Jamo,

I’ve tried this as well with no luck. Posting my entire .htaccess file below:

# Deny access to database + config files
<Files ~ "\.(sqlite|sdb|s3db|db|yaml|yml|env)$">
  Require all denied
</Files>

<Files ".*">
  Require all denied
</Files>

<Files "tower">
  Require all denied
</Files>

<Files *.php>
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
</Files>

<Files index.php>
    Order Allow,Deny
    Allow from all
</Files>

# Don't show directory listings
Options -Indexes

# Character encoding: Serve text/html or text/plain as UTF-8
AddDefaultCharset UTF-8

# URL rewrites
<IfModule mod_rewrite.c>

    Options -MultiViews

    RewriteEngine On
    # RewriteBase /

    # Protect some contents
    RewriteRule ^.*/?\.git+ - [F,L]

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule .* index.php [L]

</IfModule>

AddType application/javascript          js jsonp tag
AddType application/json                json

# Audio
AddType audio/ogg                       oga ogg
AddType audio/mp4                       m4a f4a f4b

# Video
AddType video/ogg                       ogv
AddType video/mp4                       mp4 m4v f4v f4p
AddType video/webm                      webm
AddType video/x-flv                     flv

# SVG
#   Required for svg webfonts on iPad
#   twitter.com/FontSquirrel/status/14855840545
AddType     image/svg+xml               svg svgz
AddEncoding gzip                        svgz

# Webfonts
AddType application/vnd.ms-fontobject   eot
AddType application/x-font-ttf          ttf ttc
AddType font/opentype                   otf
AddType application/x-font-woff         woff

# Assorted types
AddType image/x-icon                    ico
AddType image/webp                      webp
AddType text/cache-manifest             appcache manifest
AddType text/x-component                htc
AddType application/xml                 rss atom xml rdf
AddType text/x-vcard                    vcf
AddType application/x-shockwave-flash   swf

<IfModule mod_expires.c>
    ExpiresActive On

    ExpiresByType application/pdf               "access plus 1 year"
    ExpiresByType application/x-shockwave-flash "access plus 1 year"
    ExpiresByType image/bmp                     "access plus 1 year"
    ExpiresByType image/gif                     "access plus 1 year"
    ExpiresByType image/jpeg                    "access plus 1 year"
    ExpiresByType image/png                     "access plus 1 year"
    ExpiresByType image/svg+xml                 "access plus 1 year"
    ExpiresByType image/tiff                    "access plus 1 year"
    ExpiresByType image/vnd.microsoft.icon      "access plus 1 year"
    ExpiresByType image/x-icon                  "access plus 1 year"
    ExpiresByType text/css                      "access plus 1 year"
    ExpiresByType video/x-flv                   "access plus 1 year"
    ExpiresByType application/vnd.bw-fontobject "access plus 1 year"
    ExpiresByType application/x-font-ttf        "access plus 1 year"
    ExpiresByType application/x-font-woff       "access plus 1 year"
    ExpiresByType application/font-woff         "access plus 1 year"
    ExpiresByType font/opentype                 "access plus 1 year"
    ExpiresByType image/webp                    "access plus 1 year"

    # The following MIME types are in the process of registration
    ExpiresByType application/xslt+xml          "access plus 1 year"
    ExpiresByType image/svg+xml                 "access plus 1 year"

    # The following MIME types are NOT registered
    ExpiresByType application/mathml+xml        "access plus 1 year"
    ExpiresByType application/rss+xml           "access plus 1 year"

    # JavaScript has various MIME types
    ExpiresByType application/x-javascript      "access plus 1 year"
    ExpiresByType application/javascript        "access plus 1 year"
    ExpiresByType text/ecmascript               "access plus 1 year"
    ExpiresByType text/javascript               "access plus 1 year"
</IfModule>

# -------------------------------------------------------------------------
# Disabling ETags as they are most likely misconfigured and
# do not add functionalit beyond Last-Modified
# -------------------------------------------------------------------------
<IfModule mod_headers.c>
    # Try removing etag headers (if it's coming from proxy for example)
    Header always set Access-Control-Allow-Origin: "*"
    Header always set Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"
    Header always set Access-Control-Allow-Headers "*"
    # Header unset ETag
</IfModule>

<IfModule mod_deflate.c>

  # Force deflate for mangled headers developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping/
  <IfModule mod_setenvif.c>
    <IfModule mod_headers.c>
      SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
      RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
    </IfModule>
  </IfModule>

  # Compress all output labeled with one of the following MIME-types
  # (for Apache versions below 2.3.7, you don't need to enable `mod_filter`
  # and can remove the `<IfModule mod_filter.c>` and `</IfModule>` lines as
  # `AddOutputFilterByType` is still in the core directives)
  <IfModule mod_filter.c>
    AddOutputFilterByType DEFLATE application/atom+xml \
                                  application/javascript \
                                  application/json \
                                  application/rss+xml \
                                  application/vnd.ms-fontobject \
                                  application/x-font-ttf \
                                  application/xhtml+xml \
                                  application/xml \
                                  font/opentype \
                                  image/svg+xml \
                                  image/x-icon \
                                  text/css \
                                  text/html \
                                  text/plain \
                                  text/x-component \
                                  text/xml
  </IfModule>

</IfModule>

# Remove ETags
FileETag None

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php81” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php81 .php .php8 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit

Small but vital mistake made.

See the colons at the end of the first two header lines? Those are wrong.
Change the mentioned part in your .htaccess to

<IfModule mod_headers.c>
    # Try removing etag headers (if it's coming from proxy for example)
    Header always set Access-Control-Allow-Origin "*"
    Header always set Access-Control-Allow-Methods "GET,POST,OPTIONS,DELETE,PUT"
    Header always set Access-Control-Allow-Headers "*"
    # Header unset ETag
</IfModule>

(no colons)

That should fix it.

2 Likes

Yes, this worked for me. I remove everything ‘cors’ from config.php

if you use config/config.php it does affect GETs etc, but not OPTIONS, which means preflight fails

Is your server behind a proxy? I can’t replicate the issue :thinking:

Might be proxying through nginx.
image

https://jphtmx.feeed.com/ moment I have it working with a .htaccess at the www root

Thank you! This did the trick!