I am getting a
XMLHttpRequest cannot load http://website2.com/ads/dev_642e92efb79421734881b53e1e1b18b6/5534f8e14d514_1.html. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://website1.com' is therefore not allowed access.
Website2 is configured using nginx:
server { listen 80; server_name website2.com; root /var/www/website2; index index.php index.html index.htm; #try_files $uri $uri/ /index.php?$args; client_max_body_size 20M; location /ads { add_header 'Access-Control-Max-Age' 1728000; add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; try_files $uri $uri/ /index.php?$args; } location / { try_files $uri $uri/ /index.php?$args; # proxy_pass http://127.0.0.1:2368/; # proxy_set_header Host $host; # proxy_buffering off; } gzip on; gzip_vary on; gzip_types text/javascript text/css text/xml application/xml application/xml+rss; gzip_comp_level 9; gzip_min_length 100; gzip_buffers 16 8k; gzip_proxied expired no-cache no-store private auth; gzip_http_version 1.0; gzip_disable "MSIE [1-6]\."; location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { expires 24h; log_not_found off; } location ~ \.php$ { try_files $uri =404; # Fix for server variables that behave differently under nginx/php-fpm than typically expected fastcgi_split_path_info ^(.+\.php)(/.+)$; # Include the standard fastcgi_params file included with nginx include fastcgi_params; fastcgi_param HTTPS $https; fastcgi_pass_header X_SECURECONNECTION; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_index index.php; # Override the SCRIPT_FILENAME variable set by fastcgi_params fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # Pass to upstream PHP-FPM; This must match whatever you name your upstream connection fastcgi_pass 127.0.0.1:9000; } #preventing access to git location ~ /\.(?:git).* { deny all; access_log off; log_not_found off; } #preventing access to .htaccess or htpasswd location ~ /\.ht.* { deny all; access_log off; log_not_found off; } server_tokens off; if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; } location /images/ { valid_referers none blocked example.com *.example.com; if ($invalid_referer) { return 403; } }
How this webpage is getting requested is by: 1) Accessing a PHP file of website1. 2) The PHP file dies an html webpage which includes javascript files in website2. 3) Javascript uses ajax to get the html in website2 that is not allowed access, it uses the method GET.
The server address is still website1 when the process is over.
I also tried to add it to "location /".
Any ideas?
UPDATE:
After following this: http://www.html5rocks.com/en/tutorials/cors/
The error was not shown given that add_header 'Access-Control-Allow-Origin' was added to server context, not a location context.
HOWEVER, it frequently does not work. A third or less of the requests still give back the same error:
XMLHttpRequest cannot load http://website2.com/ads/dev_642e92efb79421734881b53e1e1b18b6/5534f8e14d514_1.html. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://website1.com' is therefore not allowed access.
curl -I shows:
HTTP/1.1 200 OK Server: nginx Date: Wed, 22 Apr 2015 10:30:55 GMT Content-Type: text/html Content-Length: 402 Last-Modified: Tue, 21 Apr 2015 09:13:44 GMT Connection: keep-alive Vary: Accept-Encoding ETag: "553614c8-192" Access-Control-Allow-Origin: * Accept-Ranges: bytes