В качестве продолжения темы, начало которой положено статьей в блоге
Iframe и clickjacking. Вариации на тему
- не могу не привести здесь отличный скрипт, почерпнутый на странице stackoverflow.com, одного из самых компетентных, на мой взгляд, источников информации технического характера " короткой строкой", или же "вопрос:ответ":
Had this issue too several weeks ago and found this great solution.
It allows access to any sub-domain by dynamically looking at the HTTP_Origin header, extracting the sub-domain of the origin host, and using that in the Access-Control-Allow-Origin header.
Just add the following to your .htaccess file:
<IfModule mod_headers.c>
<IfModule mod_rewrite.c>
# Dynamically change the Access-Control-Allow-Origin header to match the sub-domain the request is coming from
# Define the root domain that is allowed
SetEnvIf Origin .+ ACCESS_CONTROL_ROOT=example.com
# Check that the Origin: matches the defined root domain and capture it in an environment var if it does
RewriteEngine On
RewriteCond %{ENV:ACCESS_CONTROL_ROOT} !=""
RewriteCond %{ENV:ACCESS_CONTROL_ORIGIN} =""
RewriteCond %{ENV:ACCESS_CONTROL_ROOT}&%{HTTP:Origin} ^([^&]+)&(https?://(?:.+?\.)?\1(?::\d{1,5})?)$
RewriteRule .* - [E=ACCESS_CONTROL_ORIGIN:%2]
# Set the response header to the captured value if there was a match
Header set Access-Control-Allow-Origin %{ACCESS_CONTROL_ORIGIN}e env=ACCESS_CONTROL_ORIGIN
# Allow credentials to enable cookies being sent cross domain, so the user can stay logged is as long as the session file is available to both domains
Header set Access-Control-Allow-Credentials "true"
# Set here the headers needed for the AJAX requests, if a needed header is not in this list you will see an error in Chrome mentioning which header needs to be added here
Header set Access-Control-Allow-Headers "sender, filename, content-type, accept, x-requested-with, x-request"
</IfModule>
</IfModule>
, также в тему вот это интересное
обсуждение
, клик по ссылке.
