Ssl – Setting Access-Control-Allow-Origin in .htaccess for Https protocol

.htaccesshttp-headershttpsssl

I have a site with http and https. I set in the .htaccess the following line which runs for http.

Header set Access-Control-Allow-Origin "*"

But with https I get this error.

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://dl.dropboxusercontent.com' is therefore not allowed access.

I tried the following with no luck.

Header set Access-Control-Allow-Origin "*" env=HTTPS

Any way to set Access-Control-Allow-Origin header for https in .htaccess?

Here is my complete .htaccess

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

<IfModule mod_headers.c>
    Header always set Access-Control-Allow-Origin "*"
</IfModule>

Here is my virtual host settings

<VirtualHost *:443>

    ServerAdmin admin@localhost
    DocumentRoot /var/www/html/domain

    ServerName domain.com

    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

    SSLCertificateFile "/etc/pki/tls/private/domain.crt"

    SSLCertificateKeyFile "/etc/pki/tls/private/domain.key"

    SSLCACertificateFile "/etc/pki/tls/private/domain.ca-bundle.crt"

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

    ErrorLog logs/domain-error_log
    CustomLog logs/domain-access_log common


    <Directory "/var/www/html/domain">
        AllowOverride All
    </Directory>


</VirtualHost>

Any solution?

Best Answer

Without the complete .htaccess I don't exactly know but when more processing is done within Apache adding the condition always might be needed:

Header always set Access-Control-Allow-Origin "*"

The manual explains it as follows:

When your action is a function of an existing header, you may need to specify a condition of always, depending on which internal table the original header was set in.
The table that corresponds to always is used for locally generated error responses as well as successful responses. Note also that repeating this directive with both conditions makes sense in some scenarios because always is not a superset of onsuccess with respect to existing headers:

  • You're adding a header to a locally generated non-success (non-2xx) response, such as a redirect, in which case only the table corresponding to always is used in the ultimate response.

  • You're modifying or removing a header generated by a CGI script, in which case the CGI scripts are in the table corresponding to always and not in the default table.

  • You're modifying or removing a header generated by some piece of the server but that header is not being found by the default onsuccess condition.

Related Topic