Hi Richard. You have got me thinking ... https://username:[email protected]/ works, even without ANY of the "add_header" and "proxy_set_header" directives.
So, now the only thing that worries me is security. http://stackoverflow.com/questions/4143196/is-get-data-also-encrypted-in-https indicates that the URL is safe, in the sense that "username" and "password" would not be sniffable through a man-in-the-middle attack, right? Also, since 1.2.3.4 is our own server, so we are not really bothered about GET-requests getting logged on the server, so we should be good. Do I make sense? Kindly let know your thoughts. Thanks and Regards, Ajay On Thu, Apr 13, 2017 at 11:07 PM, Richard Stanway <[email protected] > wrote: > You're missing the "Authorization" header in your Access-Control-Allow-Headers > directive. > > You can alternatively pass the basic auth in your URI, eg xhr.open("GET", " > https://username:[email protected]/";) rather than crafting it manually. > > On Thu, Apr 13, 2017 at 4:50 PM, Ajay Garg <[email protected]> wrote: > >> Strange, but rebooting the machine caused the credentials-popup to be >> seen again :-| >> Sorry for the noise here. >> >> There has been some progress, but still get a "CORS preflight did not >> succeed error". >> Following is what I am doing. >> >> >> a) >> Following is the server-block in /etc/nginx/conf.d/default.conf :: >> >> ############################################################ >> ############## >> server { >> >> listen 443 ssl; >> >> ssl_certificate /etc/nginx/ssl/nginx.crt; >> ssl_certificate_key /etc/nginx/ssl/nginx.key; >> >> add_header 'Access-Control-Max-Age' 1728000 'always'; >> add_header 'Access-Control-Allow-Origin' $http_origin >> 'always'; >> add_header 'Access-Control-Allow-Credentials' 'true' >> 'always'; >> add_header 'Access-Control-Allow-Methods' 'GET, POST, >> OPTIONS' 'always'; >> add_header 'Access-Control-Allow-Headers' >> 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive, >> User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' >> 'always'; >> >> location / { >> >> auth_basic 'Restricted'; >> auth_basic_user_file /etc/nginx/ssl/.htpasswd; >> >> proxy_set_header 'Access-Control-Max-Age' 1728000; >> proxy_set_header 'Access-Control-Allow-Origin' >> '*'; >> proxy_set_header >> 'Access-Control-Allow-Credentials' 'true'; >> proxy_set_header >> 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; >> proxy_set_header >> 'Access-Control-Allow-Headers' >> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With, >> If-Modified-Since,Cache-Control,Content-Type'; >> >> proxy_pass >> $forwarded_protocol://127.0.0.1:$forwarded_port; >> >> } >> } >> ############################################################ >> ############## >> >> >> >> >> b) >> Firing the following html from firefox (sensitive information changed) :: >> >> ############################################################ >> ############## >> <html> >> <body> >> <script type="text/javascript"> >> var data = null; >> >> var xhr = new XMLHttpRequest(); >> xhr.withCredentials = true; >> >> xhr.addEventListener("readystatechange", function () { >> if (this.readyState === 4) { >> console.log(this.responseText); >> } >> }); >> >> xhr.open("GET", "https://1.2.3.4/";); >> xhr.setRequestHeader("authorization", "Basic abcdefg"); >> xhr.setRequestHeader("cache-control", "no-cache"); >> >> xhr.send(data); >> </script> >> </body> >> </html> >> ############################################################ >> ############## >> >> >> >> Following is received in the firebug-console (sensitive information >> changed) :: >> >> ############################################################ >> ############## >> GET https://23.253.207.208/ >> uff.html (line 19) >> Headers >> >> Accept >> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >> Accept-Encoding gzip, deflate, br >> Accept-Language en-US,en;q=0.5 >> Authorization Basic abcdefg >> Cache-Control no-cache >> Host 1.2.3.4 >> Origin null >> User-Agent Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0) >> Gecko/20100101 Firefox/47.0 >> >> >> Cross-Origin Request Blocked: The Same Origin Policy disallows reading >> the remote resource at https://1.2.3.4/. (Reason: CORS preflight >> channel did not succeed). >> ############################################################ >> ############## >> >> >> I am beginning to believe that I am close to solving the issue (of >> course all credit to tremendous help from this list). >> I will be grateful for the last bit of help being received by the >> really helpful experts here.. >> >> Sorry again for the noise in my previous email. >> >> >> Thanks and Regards, >> Ajay >> _______________________________________________ >> nginx mailing list >> [email protected] >> http://mailman.nginx.org/mailman/listinfo/nginx >> > > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx > -- Regards, Ajay
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
