Applicable to:
- Plesk for Linux
Question
How to set up cross-origin resource sharing (CORS) in Plesk to allow example.org to get resources from example.com?
Answer
Note: CORS is supported in the following browsers: Chrome 3+, Firefox 3.5+, Opera 12+, Safari 4+, Internet Explorer 8+
Warning: Only one header Access-Control-Allow-Origin can be added. CORS will not work if the header is defined both in nginx and Apache, or twice for Apache or nginx respectively.
-
Log in to Plesk on the server where the domain example.com is hosted.
-
Go Domains > example.com > Apache & nginx Settings.
-
Add the CORS header:
for Apache-
Add the following line to the field Additional directives for HTTP:
Header set Access-Control-Allow-Origin "http://example.org"
-
Add the following line to the field Additional directives for HTTPS:
Header set Access-Control-Allow-Origin "https://example.org"
for nginxAdd one of the following lines to the field Additional nginx directives, depending on whether website works via HTTP or HTTPS:
add_header 'Access-Control-Allow-Origin' 'http://example.org';
OR
add_header 'Access-Control-Allow-Origin' 'https://example.org';
-
-
Click OK or Apply at the bottom of the page to apply the changes.
Note: CORS should be enabled on the remote/external server side, from where resources are requested.
Comments
20 comments
This actually worked for me, had to apply rule to both apache and nginx
Is this still the best way to enable CORS? In Plesk Obsidian we've been able to enable CORS for both Apache and nginx (as long as Proxy mode is enabled, so not for nginx standalone) by setting additional headers in the Common Apache settings section, with this format:
Access-Control-Allow-Origin: example1.com
Hello @Maghreb,
Thank you for sharing your user experience.
Your solution also works fine as a server-wide one.
However, the solution specified in the article is more flexible as allows more granular setting per domain.
How do we add this when using PLESK OBSIDIAN
@Kingsley Felix
Exactly the same method still applies.
How would you setup for multiple domains?
Hi @Marco Maranao,
Additional directives for Apache or Nginx can also be applied for Service Plans. In this case, the directives can be applied for multiple domains.
Please add directives in Plesk > Service Plans > plan_name > Web Server.
The examples given as a solution do not seem to match the situation
"Plesk to display content from example.org on example.com?"
I think the examples are showing the wrong way around. They allow content from example.com to be displayed in example.org. So should the introductory phrase not be
"Plesk to display content from example.com on example.org?"
Hello Peter Debik,
The "Access-Control-Allow-Origin" option allows getting access to the resources of the server for defined clients.
In that case, you are right. The next directive allows example.org to get resources from example.com:
Header set Access-Control-Allow-Origin "http://example.org"
Thank you for bringing our attention to this fact. We will review the article and fix it in order to make it more correct and clear.
Why do I get this error?
has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.
I tried to add Header set Access-Control-Allow-Origin "https://example.org" but it didn't worked, i still get this error.
EDIT: I found it my self, it was already 2 times in the htaccess file, so I deleted one of the lines, and now it is working like a charm :D
Something weird I encountered in a Plesk where nginx act as a proxy for Apache :
I added
to nginx additional directives for website example.com whose static files (fonts, images) where called by example.org.
Everything's fine for these static resources till the developer told me about a problem with his plupload implementation : the xhr sent by plupload falls in a CORS error.
The solution was to quote the
he had put in his .htaccess.
It happens just as if htaccess instruction was in conflict with nginx instruction.
Note :
If .htaccess instruction is unquoted and the 'handle static resources by nginx' disabled and access control directive from nginx additional directives removed, the CORS error happens on plupload xhr and static files as well.
Wish I understood why such a behaviour
Hi,
I need to set only one value:
and not
How to?
Hello @Andrea Tadioli!
You just need to replace the URL with *:
for Apache:
for nginx:
I have added this exactly as it says in both apache and ngnix but still having this issue.
apache: Header set Access-Control-Allow-Origin "https://example.org"
ngnix: add_header 'Access-Control-Allow-Origin' 'https://example.org';
I added the following for both Apache and Ngnix but to no avail:
Apache: Header set Access-Control-Allow-Origin "*"
Ngnix: add_header 'Access-Control-Allow-Origin' '*';
I was able to resolved the CORS issue by disabling Apache http2 module from the this instruction and removing all traces of Header set Access-Control-Allow-Origin "*" in project .htaccess files.
Taras Ermoshin in this guide you said:
but this sound to me a no sense because I followed your guide to go Domains > example.com > Apache & nginx Settings.
Here I just added:Access-Control-Allow-Origin: "*"
and saved but seems Plesk add this to Apache and Nginx so I have:
has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.
I don't know how to solve. Is because Apache and Nigix are active and Plesk put in both? So How can I fix this?
I'm asking also in the community and waiting support.
https://talk.plesk.com/threads/issue-with-cross-origin-plesk-is-locking.363032/
To me seems Plesk is not doing a great job as put my single directive twice and I don't see how resolve.
I hope in a reply.
I just tried this too on both options. apache and nginx but I still get the CORS error on the fonts which are coming from an s3 bucket.
Access to font at 'https://www.domain.com/wp-content/uploads/2021/08/KiaSignatureRegular.woff2' from origin 'https://domain.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I also have CORS policy on the s3 bucket which is open with '*'
I tried with specifying the domain and with '*' on the PLESK configurations for the domain.
Egbert.Frankenberg you can read the solution here.
Good evening. I'm having a similar problem.
In my case I'm trying to run a NodeJs server. http2 & Nginx are active.
The NodeJS server is directly accessible over the browser, but not as the target of an AJAX request.
I have tried all the suggestions above and more:
Apache & nginx Settings for
I also temporally deactivated HTTP2. No success.
Any other suggestions?
Hi Patrick Meppe.
Sorry but I think to be not able to help with that.
If you never get a reply here you can try ask on the Plesk forum https://talk.plesk.com/
Good luck!
Please sign in to leave a comment.