Articles in this section

See more

How to set up CORS (cross-origin resource sharing) in Plesk for Linux?

Avatar
Taras Ermoshin
Updated
Follow
Plesk for Linux kb: how-to ABT: Group B

Applicable to:

  • Plesk for Linux

Question

How to set up cross-origin resource sharing (CORS) in Plesk to allow example.org to get resources from example.com?

Answer

Note: CORS is supported in the following browsers: Chrome 3+, Firefox 3.5+, Opera 12+, Safari 4+, Internet Explorer 8+

Warning: Only one "Access-Control-Allow-Origin" is possible to be added. For Nginx, it's required to choose if it has to be HTTP or HTTPS. And won't work if set in Nginx and in Apache.

  1. Log in to Plesk on the server, where domain example.com is hosted.

  2. Navigate to the tab Domains > example.com > Apache and nginx settings and add the following directives to the section Additional directives for HTTP:

    CONFIG_TEXT: Header set Access-Control-Allow-Origin "http://example.org"

    Additional directives for HTTPS:

    CONFIG_TEXT: Header set Access-Control-Allow-Origin "https://example.org"

  3. In case nginx as reverse proxy is enabled, add the following nginx directive to Domains > example.org > Apache and nginx settings > Additional nginx directives, depending on whether website works via HTTP or HTTPS :

    CONFIG_TEXT: add_header 'Access-Control-Allow-Origin' 'http://example.org';

    CONFIG_TEXT: add_header 'Access-Control-Allow-Origin' 'https://example.org';

  4. Click Apply to save settings.

Comments

11 comments

Sort by Date Votes
  • Avatar
    Alex

    This actually worked for me, had to apply rule to both apache and nginx

    0
    Comment actions Permalink
  • Avatar
    Maghreb Services SARL

    Is this still the best way to enable CORS? In Plesk Obsidian we've been able to enable CORS for both Apache and nginx (as long as Proxy mode is enabled, so not for nginx standalone) by setting additional headers in the Common Apache settings section, with this format:

    Access-Control-Allow-Origin: example1.com

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Maghreb,

    Thank you for sharing your user experience.

    Your solution also works fine as a server-wide one.

    However, the solution specified in the article is more flexible as allows more granular setting per domain.

    0
    Comment actions Permalink
  • Avatar
    Kingsley Felix

    How do we add this when using PLESK OBSIDIAN 

    0
    Comment actions Permalink
  • Avatar
    Denis Bykov

    @Kingsley Felix
    Exactly the same method still applies.

    0
    Comment actions Permalink
  • Avatar
    Marco Maranao

    How would you setup for multiple domains?

    0
    Comment actions Permalink
  • Avatar
    Maxim Krasikov

    Hi @Marco Maranao,

    Additional directives for Apache or Nginx can also be applied for Service Plans. In this case, the directives can be applied for multiple domains.
    Please add directives in Plesk > Service Plans > plan_name > Web Server.

    0
    Comment actions Permalink
  • Avatar
    Peter Debik

    The examples given as a solution do not seem to match the situation

    "Plesk to display content from example.org on example.com?"

    I think the examples are showing the wrong way around. They allow content from example.com to be displayed in example.org. So should the introductory phrase not be

    "Plesk to display content from example.com on example.org?"

    0
    Comment actions Permalink
  • Avatar
    Mikhail Shport

    Hello Peter Debik,

    The "Access-Control-Allow-Origin" option allows getting access to the resources of the server for defined clients.

    In that case, you are right. The next directive allows example.org to get resources from example.com:

    Header set Access-Control-Allow-Origin "http://example.org"

    Thank you for bringing our attention to this fact. We will review the article and fix it in order to make it more correct and clear.

    0
    Comment actions Permalink
  • Avatar
    Bingo (Edited )

    Why do I get this error?

    has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.

    I tried to add Header set Access-Control-Allow-Origin "https://example.org" but it didn't worked, i still get this error.

    EDIT: I found it my self, it was already 2 times in the htaccess file, so I deleted one of the lines, and now it is working like a charm :D

    0
    Comment actions Permalink
  • Avatar
    Kernel Labs (Edited )

    Something weird I encountered in a Plesk where nginx act as a proxy for Apache :

    I added

    add_header 'Access-Control-Allow-Origin' '*';

    to nginx additional directives for website example.com whose static files (fonts, images) where called by example.org.

    Everything's fine for these static resources till the developer told me about a problem with his plupload implementation : the xhr sent by plupload falls in a CORS error.

    The solution was to quote the

    Header set Access-Control-Allow-Origin "*"

    he had put in his .htaccess.
    It happens just as if htaccess instruction was in conflict with nginx instruction.

    Note :

    If .htaccess instruction is unquoted and the 'handle static resources by nginx' disabled and access control directive from nginx additional directives removed, the CORS error happens on plupload xhr and static files as well.

    Wish I understood why such a behaviour

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles