How do you set the Access-Control-Allow-Origin header for the HTTP basic authentication response in Apache?

Question

I want to use XHR to log in to a site that uses HTTP basic authentication. The following piece does this.

http = new XMLHttpRequest();
http.open("get", "http://...", false, username, password);
http.send("");

The problem is that this does not work from a domain that is different from the one where the authentication is. The solution is simple enough: set the Access-Control-Allow-Origin header to *. So I changed my Apache configuration to this:

<Location />
    Header set Access-Control-Allow-Origin "*"

    AuthType Basic
    AuthName "trac"
    AuthUserFile /home/admin/development/pass.htpasswd
    Require valid-user
</Location>

Responses from that page look like:

HTTP/1.1 401 Authorization Required
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 345
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 11 Sep 2011 01:17:55 GMT
Keep-Alive: timeout=15, max=100
Vary: Accept-Encoding
WWW-Authenticate: Basic realm="trac"

The responses do not have the Access-Control-Allow-Origin header. This seems strange.

When I use the same Header directive for the inside pages, the header is set.

Why was the header not set? How do you set the Access-Control-Allow-Origin header for the HTTP basic authentication response in Apache?

Answer 1

The answer is:

Header always set Access-Control-Allow-Origin "*"

instead of

Header set Access-Control-Allow-Origin "*"

And the reason is in the documentation of Header directive:

Header [condition] set|append|merge|add|unset|echo|edit header [value] [replacement] [early|env=[!]variable]

The optional condition argument determines which internal table of responses headers this directive will operate against. Other components of the server may have stored their response headers in either the table that corresponds to onsuccess or the table that corresponds to always. "Always" in this context refers to whether headers you add will be sent during both a successful and unsucessful response, but if your action is a function of an existing header, you will have to read on for further complications.

The default value of onsuccess may need to be changed to always under the circumstances similar to those listed below. Note also that repeating this directive with both conditions makes sense in some scenarios because always is not a superset of onsuccess with respect to existing headers:

• You're adding a header to a non-success (non-2xx) response, such as a redirect, in which case only the table corresponding to always is used in the ultimate response.
• You're modifying or removing a header generated by a CGI script, in which case the CGI scripts are in the table corresponding to always and not in the default table.
• You're modifying or removing a header generated by some piece of the server but that header is not being found by the default onsuccess condition.

In your case you send a 401 response instead of a classical 200 response, and the Header is only set on 200 responses if you do not use the always keyword.