My website supports both http and https protocols. However using the code below in .htaccess file, I can only set one domain to allow CORS requests:
Header set Access-Control-Allow-Origin: http://example.com
I want to allow ajax requests on both http and https versions of my site (not just "*") and tried the solutions here: Access-Control-Allow-Origin Multiple Origin Domains?
But all solutions are assuming that there is an Origin header in the request which may not be the case and is not secure.
I want to know if the request has been served over https and use this info to set the proper CORS header. Something like this:
SetEnvIf servedOverHttps httpsOrigin=true
Header set Access-Control-Allow-Origin: https://example.me env=httpsOrigin
SetEnvIf notServedOverHttps httpOrigin=true
Header set Access-Control-Allow-Origin: http://example.me env=httpOrigin
How can I find out that it's a https request?
Aucun commentaire:
Enregistrer un commentaire