Next.js Discord

Discord Forum

help me with multiple domain support (cors 403 forbidden)

Answered
Britannia Petite posted this in #help-forum
Open in Discord
Britannia PetiteOP
the goal is to have my site accessible from multiple domains
but im getting 
Request URL
https://maindomain.com/_next/static/chunks/node_modules_8f6d62cd._.js
Request Method
GET
Status Code
403 Forbidden
Remote Address
127.0.0.1:443
Referrer Policy
strict-origin-when-cross-origin


any ideas of what i must do in my next config?
Answered by Britannia Petite
removing assetPrefix works
View full answer

10 Replies

alfonsüs ardani
did you set up cors correctly?
Britannia PetiteOP
lemme send a snippet
      {
        source: "/_next/static/:path*",
        headers: [
          {
            key: "Access-Control-Allow-Origin",
            value: allowedOrigins.join(", "),
          },
        ],
      },
const allowedOrigins = [
  ...allowedBaseDomains.map((d) => `https://${d}`),
  ...allowedBaseDomains.map((d) => `https://www.${d}`),
];
the allowedBaseDomains is just a list with all my domains (domain1.com, domain2.com, etc...)
tho this is my full headers config:
async headers() {
    return [
      // --- START: Added Rule for Static Assets ---
      // This rule allows your vanity domains to load scripts, styles, and other
      // static assets from your main domain (defined in assetPrefix).
      {
        source: "/_next/static/:path*",
        headers: [
          {
            key: "Access-Control-Allow-Origin",
            value: allowedOrigins.join(", "),
          },
        ],
      },
      // --- END: Added Rule for Static Assets ---
      {
        source: "/fonts/(.*).(ttf|woff|woff2|otf|eot)", // public/fonts/...
        headers: [
          {
            key: "Access-Control-Allow-Origin",
            value: "*",
          },
          {
            key: "Access-Control-Allow-Methods",
            value: "GET, OPTIONS",
          },
          {
            key: "Access-Control-Allow-Headers",
            value: "*",
          },
        ],
      },
      {
        source: "/(.*)",
        headers: [
          {
            key: "X-Frame-Options",
            value: "DENY",
          },
          {
            key: "X-Content-Type-Options",
            value: "nosniff",
          },
          {
            key: "X-XSS-Protection",
            value: "1; mode=block",
          },
          {
            key: "Referrer-Policy",
            value: "strict-origin-when-cross-origin",
          },
          {
            key: "Permissions-Policy",
            value: "camera=(), microphone=(), geolocation=(), payment=()",
          },
          {
            key: "Strict-Transport-Security",
            value: "max-age=31536000; includeSubDomains",
          },
        ],
      },
    ];
  },
the static assets like the ones from /fonts
work just fine because the cors header has *
way before it didn't worked with base domain only tho.
Britannia PetiteOP
removing assetPrefix works
Answer