How to enable Cross-Origin Requests (CORS) on nginx

Requesting files from a different host could cause problems because of Cross-Origin Resource Sharing (CORS) polices:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://cdn.example.com/fonts/fontawesome-webfont.woff. This can be fixed by moving the resource to the same domain or enabling CORS.

Cross-domain requests would otherwise be forbidden by a lot of web browsers, because of the same-origin security policy.
Because there are some browsers which ignore the same-origin security policy, you should enable CORS on nginx if you host content on a different domain or subdomain. Otherwise the client can’t load the requested files.

In my case Safari ignores the same-origin security policy if the file is on the same domain, but on a different subdomain – Firefox takes care of the policy and blocks the request – and the client isn’t able to load the file. This could change from version to version. So it’s recommend to enable cross-origin requests!

To enable CORS you have to modify the nginx config file with your server block configuration which serves the external files.

Just place a add_header option inside location to your server block:

location / {
	add_header 'Access-Control-Allow-Origin' *;
}

In my example I use a wildcard to allow every requests. We could restrict the access instead of using a wildcard by changing it to http://www.example.com.

To enable CORS only for *.example.com you should use this:

location / {
	if ($http_origin ~* (https?://[^/]*\.example\.com(:[0-9]+)?)) {
		add_header 'Access-Control-Allow-Origin' "$http_origin";
	}
}

Multiple domains with enabled cross-origin requests are also able:

location / {
	if ($http_origin ~* (https?://[^/]*\.example\.com(:[0-9]+)?|https?://[^/]*\.otherdomain\.com(:[0-9]+)?)) {
		add_header 'Access-Control-Allow-Origin' "$http_origin";
	}
}

Finally reload nginx (Debian: /etc/init.d/nginx reload) and test it. Have a look on the header response – Firebug helps – (Maybe you have to clear your browser cache!):

Firebug - CORS Request on nginx

Or something like this:

HTTP/1.1 200 OK
...
Access-Control-Allow-Origin: *
...

Tested and Failed: Why myadvertisingpays.com is Crap

Have you ever heard before of MAP? Lucky one! My mother forwarded a mail to me from a person she knows who told her that she could earn a lot of money with myadvertisingpays.com (My Advertising Pays, or just called MAP).

So I checked a lot of sites to get infos about this site and the system (MAP). I thought this was just an other pyramid scheme (ponzi scheme!) to steal money and I really don’t like and support such unsustainable business models. I work to earn money, not to steal money from other persons. You think about your boss/company that it would be great and fair to give you a good and correct loan for your excellent work? Well, I guess you do. Who wants to get robbed or to work under slave conditions?

I read a lot of positive (but suspect!) articles on different blogs and watched a few YouTube clips about MAP. Nearly every blog was about to make money online. Finally I changed my mind and decided to try it. After I have created my account I just bought one credit pack for 51,59 Bucks – those credit packs are needed to earn money, otherwise you could referral other persons to get money, works like an affiliate, they call it sponsoring.

You also want to be a bandit? Just join the MAP system.

After my first test run I figured out that the displayed ads on myadvertisingpays.com are completely crap, 99% of them. Most of the ads are showing strange ways to make money for buying a (crap) book to make money, spending money to an other MAP system and so on. Well, I just paid for one credit pack and now I want my money back after I saw and checked that this system sucks. Don’t believe what those people (on money maker blogs and so on) are telling you. If you want to make a lot of extra bucks with myadvertisingpays.com, you are going wrong. I don’t wanna talk about credit card fees and so on, an other fact you should think about – think from A to Z before you waste your money and your time!

The people who told you to use MAP (and wants to be your sponsor – you need one…!) just earn money with your investments (ways more than you could earn if you don’t want to be a sponsor too!) – those people are tricky, they make you believe that they are friendly and nice because they share their money making machine with you. They are just bandits. You also want to be a bandit? Just join the MAP system.

But let me continue to tell you why myadvertisingpays.com is crap and unsecure. After a few days I saw that my earnings doesn’t grow much more, they just stopped growing at 1,35 USD. I tried to make the work you should have to do (just view 10 ads each day). This should be done within a few minutes, if their servers would work well. I stopped trying it after 20 minutes because the site doesn’t load (503 gateway problems based on their side).

Now I decided to submit a support ticket to refund all my money because I think this system is just an other well masked pyramid scheme which is touted fine, just like car salesmens do.

They submitted my own private login name and my complete password in plain text to login on myadvertisingpays.com

After I have submitted the ticket, the replay came really fast (if it’s true, the CEO Mike answered), but i was shocked: They submitted my login name and my complete password in plain text to login on myadvertisingpays.com! They submitted my passwords (and the second one, yeah, you need two different passwords…) directly after the registration also in plain text and i thought this is crazy, but this could happen if the developer decides to send the password at the registration only one time as plain text through mail. There are only two possible ways to submit the complete and private plain text password to a customer after the registration:

  • Store the password just as plain text and not encrypted
  • Using a secret key to decrypt the stored encrypted password – but this token could get stolen if they got hacked

Both ways above are the worst case scenario!

Folks, just think about this company! Don’t waste your money, change your passwords on all other services if you use it somewhere else.

Finally they told me that they will refund my money within 7 days and they blocked my account directly because of the refund. So now I can’t change my login informations! But I was able to verify my login, just to see my account is blocked. Well, great logic behind this (ironic!)

×