Konubinix' opinionated web of thoughts

Lighttpd With CORS


1 Introduction

Following the article trying to patch lighttpd to work with CORS, I found out that there is a way to configure lighttpd instead of rebuilding it.

2 OPTIONS request

See here for an introduction to preflight requests. In brief, when using CORS, some browsers (like chrome), tend to prefetch request before actually fetching them, so as to make sure the correct headers are available. To do so, they don’t GET the page, but OPTIONS it instead. When getting OPTIONS, the server should return an empty body and only the response headers.

Apparently, the standard indicates that an OPTIONS request should not check the authorization.

3 lighttpd with mod_auth

lighttpd checks the authorization very early, even before checking for the OPTIONS request. Hence the patch suggested in the article.

4 lighttpd configured with OPTIONS

For lighttpd not to check the authorization with OPTIONS, simply encapsulate the auth.require part in a condition that exclude the OPTIONS method.

$HTTP["request-method"] !~ "^(OPTIONS)$" {
        auth.require   = ( "" => ... )