Score:0

CORS prevent js window.onerror from subdomain reporting informations

us flag

To log Javascript errors i have set up a function with window.onerror which trigger an ajax request and inform me about script errors. I load all my static files from a subdomain and if an error occurs from a file outside of the main domain, CORS seem to delete informations because of leak... https://developer.mozilla.org/en-US/docs/Web/API/GlobalEventHandlers/onerror#notes

I have tried to fix the problem by setting up Access-Control-Allow-Origin like that:

add_header Access-Control-Allow-Origin https://static.example.com;

but with no success.

My subdomain carries aswell Access-Control-Allow-Origin with the main domain.

Header of the document:

Request URL: https://www.example.com/de/kontaktformular.html
Request Method: GET
Status Code: 200 
Remote Address: XXX
Referrer Policy: strict-origin-when-cross-origin
access-control-allow-origin: https://static.example.com
cache-control: no-store, no-cache, must-revalidate
content-encoding: br
content-security-policy: ...
content-type: text/html; charset=UTF-8
date: Tue, 10 Aug 2021 10:21:35 GMT
expect-ct: enforce,max-age=30
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
referrer-policy: same-origin
server: nginx
strict-transport-security: max-age=15768000; includeSubDomains
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
:authority: www.example.com
:method: GET
:path: /de/kontaktformular.html
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: de-IT,de;q=0.9,en-US;q=0.8,en;q=0.7,de-DE;q=0.6
cache-control: no-cache
cookie: __Host-PHPSESSID=k2284o6ejliq4t9113bicbv5tr; cookie_alert=1; cart=MjMtLC03OC0sLTF8fDU1LSwtMTI3LSwtMXx8NTUtLC0xMjgtLC0x
pragma: no-cache
referer: https://www.example.com/de/XXX.html
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"
sec-ch-ua-mobile: ?0
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: same-origin
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36

Header of the Js file which comes from subdomain:

Request URL: https://static.example.com/jquery_scripts.128.js
Request Method: GET
Status Code: 200 
Remote Address: XXX
Referrer Policy: same-origin
access-control-allow-origin: https://www.example.com
cache-control: public, max-age=31536000, s-maxage=31536000
content-encoding: gzip
content-type: text/javascript;charset=UTF-8
date: Tue, 10 Aug 2021 10:21:35 GMT
expires: Wed, 10 Aug 2022 10:21:35 GMT
last-modified: Tue, 10 Aug 2021 09:38:16 GMT
server: nginx
strict-transport-security: max-age=15768000; includeSubDomains
vary: Accept-Encoding
x-content-type-options: nosniff
:authority: static.example.com
:method: GET
:path: /jquery_scripts.128.js
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: de-IT,de;q=0.9,en-US;q=0.8,en;q=0.7,de-DE;q=0.6
cache-control: no-cache
pragma: no-cache
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"
sec-ch-ua-mobile: ?0
sec-fetch-dest: script
sec-fetch-mode: no-cors
sec-fetch-site: same-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Michael Hampton avatar
cz flag
You have an additional unrelated problem: Your static file `/de/kontaktformular.html` is being served by PHP. This is probably an error in your nginx configuration.
delato468 avatar
us flag
@MichaelHampton thanks for your input, the document is not static. I cant make the document static because i have dynamic content like login etc. Please tell me if i have mistaken your input and i can improve nginx configuration.
Michael Hampton avatar
cz flag
OK, if it is not actually a static file then there is no problem.
Score:2
in flag

From the same documentation:

If the server sends a response with an Access-Control-Allow-Origin value that is an explicit origin (rather than the "*" wildcard), then the response should also include a Vary response header with the value Origin — to indicate to browsers that server responses can differ based on the value of the Origin request header.

Access-Control-Allow-Origin: https://developer.mozilla.org
Vary: Origin
delato468 avatar
us flag
I have added Vary: Origin, but i wasnt able to replace with "vary: Accept-Encoding" header. So i have both headers "origin" and "accept-encoding". Unluckily its not working and i still dont recieve the error messages.
delato468 avatar
us flag
Ok i had to add `https://WWW.example.com` at my static files, not sure 100% why but its working now together with "vary".
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.