Publish login issue (#447)

* Checking origin host and requesthost values
adobe · Mar 22, 2024 · 3e2fb44 · 3e2fb44
1 parent d353873
commit 3e2fb44
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/dispatcher/src/conf.d/available_vhosts/wknd.vhost b/dispatcher/src/conf.d/available_vhosts/wknd.vhost
@@ -16,6 +16,7 @@ Include conf.d/variables/custom.vars
  DocumentRoot "${DOCROOT}"
  # URI dereferencing algorithm is applied at Sling's level, do not decode parameters here
  AllowEncodedSlashes NoDecode
+
  # Add header breadcrumbs for help in troubleshooting
  <IfModule mod_headers.c>
  Header add X-Vhost "publish"
@@ -38,7 +39,8 @@ Include conf.d/variables/custom.vars
 
  SetEnvIfExpr "req_novary('Access-Control-Request-Method') == '' && %{REQUEST_METHOD} == 'OPTIONS' && req_novary('Origin') != ''" CORSType=invalidpreflight CORSProcessing=false
  SetEnvIfExpr "req_novary('Access-Control-Request-Method') != '' && %{REQUEST_METHOD} == 'OPTIONS' && req_novary('Origin') != ''" CORSType=preflight CORSProcessing=true CORSTrusted=false
- SetEnvIfExpr "req_novary('Origin') -strcmatch '%{REQUEST_SCHEME}://%{HTTP_HOST}*'" CORSType=samedomain CORSProcessing=false
+ SetEnvIfExpr "req_novary('Origin') -strcmatch 'https://%{HTTP_HOST}*'" CORSType=samedomain CORSProcessing=false CORSTrusted=true
+ SetEnvIfExpr "req_novary('Origin') -strcmatch 'http://%{HTTP_HOST}*'" CORSType=samedomain CORSProcessing=false CORSTrusted=true
 
  # For requests that require CORS processing, check if the Origin can be trusted
  SetEnvIfExpr "%{HTTP_HOST} =~ /(.*)/ " ParsedHost=$1
@@ -75,6 +77,12 @@ Include conf.d/variables/custom.vars
  Header always set Access-Control-Max-Age 1800 "expr=reqenv('CORSTrusted') == 'true'"
  Header always set Access-Control-Allow-Headers "Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers" "expr=reqenv('CORSTrusted') == 'true'"
 
+ # Uncomment while debugging
+ # Header always set Debug-CORSProcessing "true" "expr=reqenv('CORSProcessing') == 'true'"
+ # Header always set Debug-CORSProcessing "false" "expr=reqenv('CORSProcessing') == 'false'"
+ # Header always set Debug-CORSTrusted "false" "expr=reqenv('CORSTrusted') == 'false'"
+ # Header always set Debug-CORSTrusted "true" "expr=reqenv('CORSTrusted') == 'true'"
+
  # Non-CORS or Not Trusted
  Header unset Access-Control-Allow-Credentials "expr=reqenv('CORSProcessing') == 'false' || reqenv('CORSTrusted') == 'false'"
  Header unset Access-Control-Allow-Origin "expr=reqenv('CORSProcessing') == 'false' || reqenv('CORSTrusted') == 'false'"