Allowing cross origin requests for http and https

My website supports both http and https protocols. However using the code below in .htaccess file, I can only set one domain to allow CORS requests:

Header set Access-Control-Allow-Origin: http://example.com

I want to allow CORS for both http and https versions of my site (not just "*") and tried the solutions here: Access-Control-Allow-Origin Multiple Origin Domains?

But the problem is that all solutions rely on Origin header in the request which may not exist and also is not secure. (anyone can put a origin header in their request)

I want to know if the request has been served over https and use this info to set the proper CORS header. Something like this:

SetEnvIf servedOverHttps httpsOrigin=true
Header set Access-Control-Allow-Origin: https://example.me env=httpsOrigin

SetEnvIf notServedOverHttps httpOrigin=true
Header set Access-Control-Allow-Origin: http://example.me env=httpOrigin

How can I find out that it's a https request?

---

Have you tried using HTTPS variable?

It will be set to "on" for all https requests. Your .htaccess should look like this

Header set Access-Control-Allow-Origin: http://example.com             #default
Header set Access-Control-Allow-Origin: https://example.com env=HTTPS   #override if https

链接地址: http://www.djcxy.com/p/25752.html

上一篇: 传递一个Swift类作为参数，然后调用一个类方法

下一篇: 允许http和https的跨源请求