31

I have a common authentication form across multiple subdomains (example.com, blog.example.com, and app.example.com). The login form must submit this data to example.com irrespective of where it is shown, so I thought of using CORS, but this:

header("Access-Control-Allow-Origin: http://example.com http://blog.example.com http://app.example.com")

does not work

So I thought of doing the next thing, and checking the Origin header manually on server side, and allowing a Access-Control-Allow-Origin: * so that requests might be made, but unfortunately, this crops up in the MDN

Important note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding.

Is there any way to make my request work across multiple domains, and still send credentials using CORS ?

Community
  • 1
  • 1
Nemo
  • 2,906
  • 2
  • 27
  • 44
  • I believe you can also put commas between the domain names. (i.e. so, yes, you can make it work across multiple domains.) – BrainSlugs83 Jan 15 '16 at 06:57
  • 1
    I don't think so. From the spec: >In practice the origin-list-or-null production is more constrained. Rather than allowing a space-separated list of origins, it is either a single origin or the string "null". [source](https://www.w3.org/TR/cors/#access-control-allow-origin-response-header) – Nemo Jan 16 '16 at 06:04

2 Answers2

45

Two thoughts:

1) are you also including the "Access-Control-Allow-Credentials: true" header? This is needed for passing cookie credentials (and the corresponding XHR client must set .withCredentials = true)

2) Have you tried the suggestion from your link and only include the origin for the current request. For example, if a request comes in with the header "Origin: http://blog.example.com", you would respond with "Access-Control-Allow-Origin: http://blog.example.com", and not a list of origins. This requires a little more work on your server side implementation.

3) One other thought, you mention that you have a single login form that must be shared by various domains. Well, if it is a standard HTML form, you can do a regular form-post across domains. You don't need to use CORS. Just set the "action" property of the form to the url you wish to post to. For example:

<form name="login" action="http://login.example.com/doLogin">
monsur
  • 39,509
  • 15
  • 93
  • 91
2
// cross domain
header("Access-Control-Allow-Origin: ".$_SERVER['HTTP_ORIGIN']);
header('Access-Control-Allow-Credentials: true');
user3986068
  • 85
  • 1
  • 10
    Don't do that without a strict verification of the Origin header or you will open security hole – Tom Aug 18 '15 at 20:50
  • 6
    This answer illustrates why it's impossible to have fool-proof security -- in technicolor even!! >. – BrainSlugs83 Jan 15 '16 at 07:00
  • OK appears that this is "in essence" the same as doing "*" which can open up subtle security holes so is discouraged, see http://stackoverflow.com/questions/12001269/what-are-the-security-risks-of-setting-access-control-allow-origin – rogerdpack Apr 14 '17 at 18:26
  • Why not do this: http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html – JSmyth Oct 15 '17 at 02:00