Access-Control-Allow-Origin wildcard subdomains ports and protocols

Question

I m trying to enable CORS for all subdomains  ports and protocol   For example  I want to be able to run an XHR request from http   sub mywebsite com 8080  to https   www mywebsite com    Typically  I d like to enable request from origins matching  and limited to         mywebsite com

User · Answer

The CORS spec is all-or-nothing  It only supports    null or the exact protocol   domain   port  http   www w3 org TR cors  access-control-allow-origin-response-header Your server will need to validate the origin header using the regex  and then you can echo the origin value in the Access-Control-Allow-Origin response header

User · Answer

We were having similar issues with Font Awesome on a static  cookie-less  domain when reading fonts from the  cookie domain   www domain tld  and this post was our hero  See here  How can I fix the   39 Missing Cross-Origin Resource Sharing  CORS  Response Header  39  webfont issue   For the copy paste-r types  and to give some props  I pieced this together from all the contributions and added it to the top of the  htaccess file of the site root    lt IfModule mod headers c gt    lt IfModule mod rewrite c gt      SetEnvIf Origin  http s             othersite  com mywebsite  com    d 1 5      CORS  0     Header set Access-Control-Allow-Origin    CORS e  env CORS     Header merge  Vary  Origin    lt  IfModule gt   lt  IfModule gt    Super Secure  Super Elegant  Love it  You don t have to open up your servers bandwidth to resource thieves   hot-link-er types   Props to  Noyo  DaveRandom  pratap-koritala    I tried to leave this as a comment to the accepted answer  but I can t do that yet

User · Answer

For Spring Boot I found this RegexCorsConfiguration which extends the official CorsConfiguration  https   github com looorent spring-security-jwt blob master src main java be looorent security jwt RegexCorsConfiguration java

User · Answer

EDIT  Use  Noyo s solution instead of this one  It s simpler  clearer and likely a lot more performant under load   ORIGINAL ANSWER LEFT HERE FOR HISTORICAL PURPOSES ONLY      I did some playing around with this issue and came up with this reusable  htaccess  or httpd conf  solution that works with Apache    lt IfModule mod rewrite c gt   lt IfModule mod headers c gt        Define the root domain that is allowed     SetEnvIf Origin    ACCESS CONTROL ROOT yourdomain com        Check that the Origin  matches the defined root domain and capture it in       an environment var if it does     RewriteEngine On     RewriteCond   ENV ACCESS CONTROL ROOT           RewriteCond   ENV ACCESS CONTROL ORIGIN          RewriteCond   ENV ACCESS CONTROL ROOT  amp   HTTP Origin       amp     amp  https               1     d 1 5          RewriteRule    -  E ACCESS CONTROL ORIGIN  2         Set the response header to the captured value if there was a match     Header set Access-Control-Allow-Origin   ACCESS CONTROL ORIGIN e env ACCESS CONTROL ORIGIN  lt  IfModule gt   lt  IfModule gt    Just set the ACCESS CONTROL ROOT variable at the top of the block to your root domain and it will echo the Origin  request header value back to the client in the Access-Control-Allow-Origin  response header value if it matches your domain   Note also that you can use sub mydomain com as the ACCESS CONTROL ROOT and it will limit origins to sub mydomain com and   sub mydomain com  i e  it doesn t have to be the domain root   The elements that are allowed to vary  protocol  port  can be controlled by modifying the URI matching portion of the regex

User · Answer

I m answering this question  because the accepted answer can t do following    regex grouping is a performance hit  which is not necessary  cannot match primary domain and it only works for sub domain     For example  It won t send CORS headers for http   mywebsite com while works for http   somedomain mywebsite com    SetEnvIf Origin  http s            mywebsite  com   d 1 5      CORS  0  Header set Access-Control-Allow-Origin    CORS e  env CORS Header merge  Vary  Origin    To enable for your site  you just put your site in place of  mywebsite com  in the above Apache Configuration   To allow Multiple sites   SetEnvIf Origin  http s             othersite  com mywebsite  com    d 1 5      CORS  0   Testing After deploying   The following curl response should have the  Access-Control-Allow-Origin  header after the change   curl -X GET -H  Origin  http   examplesite1 com  --verbose http   examplesite2 com query

User · Answer

Based on DaveRandom s answer  I was also playing around and found a slightly simpler Apache solution that produces the same result  Access-Control-Allow-Origin is set to the current specific protocol   domain   port dynamically  without using any rewrite rules   SetEnvIf Origin   https        mywebsite  com     d 1 5        CORS ALLOW ORIGIN  1 Header append Access-Control-Allow-Origin    CORS ALLOW ORIGIN e   env CORS ALLOW ORIGIN Header merge  Vary  Origin    And that s it   Those who want to enable CORS on the parent domain  e g  mywebsite com  in addition to all its subdomains can simply replace the regular expression in the first line with this one     https             mywebsite  com     d 1 5        Note  For spec compliance and correct caching behavior  ALWAYS add the Vary  Origin response header for CORS-enabled resources  even for non-CORS requests and those from a disallowed origin  see example why

User · Answer

When setting Access-Control-Allow-Origin in  htaccess  only following worked   SetEnvIf Origin  http s            domain  com   d 1 5      CRS  0 Header always set Access-Control-Allow-Origin    CRS e  env CRS   I tried several other suggested keywords Header append  Header set  none worked as suggested in many answers on SO  though I have no idea if these keywords are outdated or not valid for nginx   Here is my complete solution   SetEnvIf Origin  http s            domain  com   d 1 5      CRS  0 Header always set Access-Control-Allow-Origin    CRS e  env CRS Header merge Vary  Origin   Header always set Access-Control-Allow-Methods  GET  POST  Header always set Access-Control-Allow-Headers       Cached for a day Header always set Access-Control-Max-Age  86400  RewriteEngine On    Respond with 200OK for OPTIONS RewriteCond   REQUEST METHOD  OPTIONS RewriteRule         1  R 200 L

User · Answer

in my case using angular  in my HTTP interceptor   i set   with Credentials  true    in the header of the request

User · Answer

I had to modify Lars  answer a bit  as an orphaned   ended up in the regex  to only compare the actual host  not paying attention to the protocol or port  and I wanted to support localhost domain besides my production domain  Thus I changed the  allowed parameter to be an array   function getCORSHeaderOrigin  allowed   input        if   allowed                   return                 if   is array  allowed              allowed   array  allowed              foreach   allowed as  amp  value             value   preg quote  value                 if    wildcardPos   strpos  value             false                 value   str replace                value                         regexp           implode       allowed                 inputHost   parse url  input  PHP URL HOST        if   inputHost     null     preg match  regexp   inputHost   matches             return  none              return  input      Usage as follows   if  isset   SERVER  HTTP ORIGIN           header  Access-Control-Allow-Origin      getCORSHeaderOrigin array    myproduction com    localhost      SERVER  HTTP ORIGIN

User · Answer

It looks like the original answer was for pre Apache 2 4  It did not work for me  Here s what I had to change to make it work in 2 4  This will work for any depth of subdomain of yourcompany com   SetEnvIf Host            yourcompany  com       CORS ALLOW ORIGIN  1 Header append Access-Control-Allow-Origin    REQUEST SCHEME e     CORS ALLOW ORIGIN e    env CORS ALLOW ORIGIN Header merge  Vary  Origin

User · Answer

I needed a PHP-only solution  so just in case someone needs it as well  It takes an allowed input string like    example com  and returns the request header server name  if the input matches   function getCORSHeaderOrigin  allowed   input        if   allowed                   return                  allowed   preg quote  allowed             if    wildcardPos   strpos  allowed            false             allowed   str replace               allowed               regexp           allowed              if   preg match  regexp   input   matches             return  none              return  input      And here are the test cases for a phpunit data provider          lt description gt                              lt allowed gt            lt input gt                     lt expected gt  array  Allow Subdomain                          www example com    www example com           www example com    array  Disallow wrong Subdomain                 www example com    ws example com            none    array  Allow All                                                   ws example com                 array  Allow Subdomain Wildcard                   example com      ws example com            ws example com    array  Disallow Wrong Subdomain no Wildcard       example com      example com               none    array  Allow Double Subdomain for Wildcard        example com      a b example com           a b example com    array  Don  t fall for incorrect position         example com      a example com evil com    none    array  Allow Subdomain in the middle            a   example com    a bc example com          a bc example com    array  Disallow wrong Subdomain                 a   example com    b bc example com          none    array  Correctly handle dots in allowed         example com        exampleXcom               none

[cors] Access-Control-Allow-Origin wildcard subdomains, ports and protocols

Examples related to cors