I want to configure my Apache 2.4 to serve some static resources in a CORS-friendly way. I already have the following setting:
Header always set Access-Control-Allow-Origin "*"
However, for recent Safari this appears to not be enough:
[Error] Failed to load resource: Request header field … is not allowed by
Access-Control-Allow-Headers.
Fields mentioned in this fashion include Accept-Encoding and DNT, but I guess after adding them I might also be seeing Cache-Control, Origin and Accept-Language, since these are the ones mentioned in the Access-Control-Request-Headers header sent by Safari. But who is to tell me what other headers Safari or some other browser might be requesting, now or in a future, for myself or for some other user with a different configuration? Apparently * is not a valid setting for the Access-Control-Allow-Headers header, for reasons I don't really understand.
So how do I configure a server to just say “use this resources anywhere, I don't care about CORS for them”?
*is now a valid value forAccess-Control-Allow-Headersat least for non-credentialed requested; but since this is a fairly recent addition to the specification, it probably hasn't reached browsers yet.One solution I found is that instead of adding headers explicitely, you can just echo all the requested headers back to the browser. This approach was suggested here on Stack Overflow, but that post did not provide a static configuration to do so.
After reading the documentation on
Headerand expressions I managed to achieve this using the following line:I'm not sure about the security implications this might have, so use at your own risk, as usual.