Access-Control-Allow-Origin Multiple Origin Domains

Question

Is there a way to allow multiple cross-domains using the Access-Control-Allow-Origin header   I m aware of the    but it is too open  I really want to allow just a couple domains   As an example  something like this   Access-Control-Allow-Origin  http   domain1 example  http   domain2 example   I have tried the above code but it does not seem to work in Firefox   Is it possible to specify multiple domains or am I stuck with just one

User · Answer

If you are having trouble with fonts  use    lt FilesMatch     ttf ttc otf eot woff    gt       lt IfModule mod headers gt          Header set Access-Control-Allow-Origin          lt  IfModule gt   lt  FilesMatch gt

User · Answer

For Nginx users to allow CORS for multiple domains  I like the  marshall s example although his anwers only matches one domain  To match a list of domain and subdomain this regex make it ease to work with fonts   location         ttf ttc otf eot woff woff2        if    http origin     https            domain1 domain2 domain3      me co com              add header  Access-Control-Allow-Origin    http origin            This will only echo  Access-Control-Allow-Origin  headers that matches with the given list of domains

User · Answer

For a fairly easy copy   paste for  NET applications  I wrote this to enable CORS from within a global asax file   This code follows the advice given in the currently accepted answer  reflecting whatever origin back is given in the request into the response   This effectively achieves     without using it     The reason for this is that it enables multiple other CORS features  including the ability to send an AJAX XMLHttpRequest with the  withCredentials  attribute set to  true    void Application BeginRequest object sender  EventArgs e        if  Request HttpMethod     OPTIONS                 Response AddHeader  Access-Control-Allow-Methods    GET  POST            Response AddHeader  Access-Control-Allow-Headers    Content-Type  Accept            Response AddHeader  Access-Control-Max-Age    1728000            Response End              else               Response AddHeader  Access-Control-Allow-Credentials    true             if  Request Headers  Origin      null              Response AddHeader  Access-Control-Allow-Origin    Request Headers  Origin             else             Response AddHeader  Access-Control-Allow-Origin

User · Answer

Here is what i did for a PHP application which is being requested by AJAX   request headers          apache request headers     http origin               request headers  Origin     allowed http origins     array                               http   myDumbDomain example                                   http   anotherDumbDomain example                                  http   localhost                                  if  in array  http origin   allowed http origins           header  Access-Control-Allow-Origin       http origin       If the requesting origin is allowed by my server  return the  http origin itself as value of the Access-Control-Allow-Origin header instead of returning a   wildcard

User · Answer

Another solution I m using in PHP    http origin     SERVER  HTTP ORIGIN     if   http origin     http   www domain1 com      http origin     http   www domain2 com      http origin     http   www domain3 com           header  Access-Control-Allow-Origin   http origin

User · Answer

For ExpressJS applications you can use   app use  req  res  next    gt        const corsWhitelist              https   domain1 example            https   domain2 example            https   domain3 example             if  corsWhitelist indexOf req headers origin      -1            res header  Access-Control-Allow-Origin   req headers origin           res header  Access-Control-Allow-Headers    Origin  X-Requested-With  Content-Type  Accept               next

User · Answer

AWS Lambda API Gateway  For information on how to configure multiple origins on Serverless AWS Lambda and API Gateway - albeit a rather large solution for something one would feel should be quite straightforward - see here   https   stackoverflow com a 41708323 1624933    It is currently not possible to configure multiple origins in API Gateway  see here  https   docs aws amazon com apigateway latest developerguide how-to-cors-console html   but the recommendation  in the answer above  is    inspect the Origin header sent by the browser check it against a whitelist of origins if it matches  return the incoming Origin as the Access-Control-Allow-Origin header  else return a placeholder  default origin       The simple solution is obviously enabling ALL     like so   exports handler   async  event    gt        const response             statusCode  200          headers                 Access-Control-Allow-Origin                     Access-Control-Allow-Credentials    true    Required for cookies  authorization headers with HTTPS                    body  JSON stringify      But it might be better to do this on the API Gateway side  see 2nd link above

User · Answer

I had the same problem with woff-fonts  multiple subdomains had to have access  To allow subdomains I added something like this to my httpd conf   SetEnvIf Origin        example  com    ORIGIN SUB DOMAIN  1  lt FilesMatch    woff   gt      Header set Access-Control-Allow-Origin    ORIGIN SUB DOMAIN e  env ORIGIN SUB DOMAIN  lt  FilesMatch gt    For multiple domains you could just change the regex in SetEnvIf

User · Answer

If you try so many code examples like me to make it work using CORS  it is worth to mention that you have to clear your cache first to try if it actually works  similiar to issues like when old images are still present  even if it s deleted on the server  because it is still saved in your cache     For example CTRL   SHIFT   DEL in Google Chrome to delete your cache    This helped me using this code after trying many pure  htaccess solutions and this seemed the only one working  at least for me        Header add Access-Control-Allow-Origin  http   google com      Header add Access-Control-Allow-Headers  authorization  origin  user-token  x-requested-with  content-type      Header add Access-Control-Allow-Methods  PUT  GET  POST  DELETE  OPTIONS        lt FilesMatch     ttf otf eot woff    gt           lt IfModule mod headers c gt              SetEnvIf Origin  http s      www     google com staging google com development google com otherdomain com dev02 otherdomain net    AccessControlAllowOrigin  0             Header add Access-Control-Allow-Origin   AccessControlAllowOrigin e env AccessControlAllowOrigin          lt  IfModule gt       lt  FilesMatch gt    Also note that it is widely spread that many solutions say you have to type Header set     but it is Header add      Hope this helps someone having the same troubles for some hours now like me

User · Answer

For multiple domains  in your  htaccess    lt IfModule mod headers c gt      SetEnvIf Origin  http s      www     domain1 example domain2 example    AccessControlAllowOrigin  0 1     Header add Access-Control-Allow-Origin   AccessControlAllowOrigin e env AccessControlAllowOrigin     Header set Access-Control-Allow-Credentials true  lt  IfModule gt

User · Answer

The answer seems to be to use the header more than once   That is  rather than sending  Access-Control-Allow-Origin  http   domain1 example  http   domain2 example  http   domain3 example   send  Access-Control-Allow-Origin  http   domain1 example Access-Control-Allow-Origin  http   domain2 example Access-Control-Allow-Origin  http   domain3 example   On Apache  you can do this in an httpd conf  lt VirtualHost gt  section or  htaccess file using mod headers and this syntax   Header add Access-Control-Allow-Origin  http   domain1 example  Header add Access-Control-Allow-Origin  http   domain2 example  Header add Access-Control-Allow-Origin  http   domain3 example    The trick is to use add rather than append as the first argument

User · Answer

Here s how to echo the Origin header back if it matches your domain with Nginx  this is useful if you want to serve a font multiple sub-domains   location  fonts         this will echo back the origin header     if   http origin    example org              add header  Access-Control-Allow-Origin   http origin

User · Answer

PHP Code     httpOrigin   isset   SERVER  HTTP ORIGIN        SERVER  HTTP ORIGIN     null  if  in array  httpOrigin         http   localhost 9000      Co-worker dev-server      http   127 0 0 1 9001      My dev-server     header  Access-Control-Allow-Origin    httpOrigin     header  Access-Control-Allow-Credentials  true

User · Answer

Below answer is specific to C   but the concept should be applicable to all the different platforms   To allow Cross Origin Requests from a web api  You need to allow Option requests to your Application and Add below annotation at controller level    EnableCors UrlString Header  Method   Now the origins can be passed only a s string  SO if you want to pass more than one URL in the request pass it as a comma seperated value   UrlString    https   a hello com https   b hello com

User · Answer

For IIS 7 5  with URL Rewrite 2 0 module installed please see this SO answer

User · Answer

I struggled to set this up for a domain running HTTPS  so I figured I would share the solution  I used the following directive in my httpd conf file        lt FilesMatch     ttf otf eot woff    gt              SetEnvIf Origin   http s            example  com   AccessControlAllowOrigin  0             Header set Access-Control-Allow-Origin   AccessControlAllowOrigin e env AccessControlAllowOrigin      lt  FilesMatch gt    Change example com to your domain name   Add this inside  lt VirtualHost x x x x xx gt  in your httpd conf file   Notice that if your VirtualHost has a port suffix  e g   80  then this directive will not apply to HTTPS  so you will need to also go to  etc apache2 sites-available default-ssl and add the same directive in that file  inside of the  lt VirtualHost  default  443 gt  section   Once the config files are updated  you will need to run the following commands in the terminal   a2enmod headers sudo service apache2 reload

User · Answer

As mentioned above  Access-Control-Allow-Origin should be unique and Vary should be set to Origin if you are behind a CDN  Content Delivery Network    Relevant part of my Nginx configuration   if   http origin     https        mydomain example   0-9           set  cors  true     if   cors    true       add header  Access-Control-Allow-Origin    http origin     add header  X-Frame-Options   ALLOW FROM  http origin     add header  Access-Control-Allow-Credentials   true     add header  Vary   Origin

User · Answer

PHP code example for matching subdomains   if  preg match   http            yourdomain example      SERVER  HTTP ORIGIN     matches               theMatch    matches 0           header  Access-Control-Allow-Origin       theMatch

User · Answer

There is one disadvantage you should be aware of  As soon as you out-source files to a CDN  or any other server which doesn t allow scripting  or if your files are cached on a proxy  altering response based on  Origin  request header will not work

User · Answer

Here s a solution for Java web app  based the answer from yesthatguy    I am using Jersey REST 1 x  Configure the web xml to be aware of Jersey REST and the CORSResponseFilter    lt  -- Jersey REST config -- gt     lt servlet gt           lt servlet-name gt JAX-RS Servlet lt  servlet-name gt       lt servlet-class gt com sun jersey spi container servlet ServletContainer lt  servlet-class gt       lt init-param gt            lt param-name gt com sun jersey api json POJOMappingFeature lt  param-name gt           lt param-value gt true lt  param-value gt       lt  init-param gt       lt init-param gt         lt param-name gt com sun jersey spi container ContainerResponseFilters lt  param-name gt         lt param-value gt com your package CORSResponseFilter lt  param-value gt       lt  init-param gt          lt init-param gt           lt param-name gt com sun jersey config property packages lt  param-name gt           lt param-value gt com your package lt  param-value gt       lt  init-param gt               lt load-on-startup gt 1 lt  load-on-startup gt     lt  servlet gt     lt servlet-mapping gt       lt servlet-name gt JAX-RS Servlet lt  servlet-name gt       lt url-pattern gt  ws   lt  url-pattern gt     lt  servlet-mapping gt    Here s the code for CORSResponseFilter  import com sun jersey spi container ContainerRequest  import com sun jersey spi container ContainerResponse  import com sun jersey spi container ContainerResponseFilter    public class CORSResponseFilter implements ContainerResponseFilter    Override public ContainerResponse filter ContainerRequest request          ContainerResponse response         String   allowDomain     http   localhost 9000   https   my domain example        Set lt String gt  allowedOrigins   new HashSet lt String gt  Arrays asList  allowDomain                           String originHeader   request getHeaderValue  Origin         if allowedOrigins contains originHeader             response getHttpHeaders   add  Access-Control-Allow-Origin   originHeader            response getHttpHeaders   add  Access-Control-Allow-Headers                    origin  content-type  accept  authorization            response getHttpHeaders   add  Access-Control-Allow-Credentials    true            response getHttpHeaders   add  Access-Control-Allow-Methods                    GET  POST  PUT  DELETE  OPTIONS  HEAD               return response

User · Answer

This worked for me   SetEnvIf Origin   http s             domain  example domain2  example    origin is  0  Header always set Access-Control-Allow-Origin   origin is e env origin is   When put in  htaccess  it will work for sure

User · Answer

Sounds like the recommended way to do it is to have your server read the Origin header from the client  compare that to the list of domains you would like to allow  and if it matches  echo the value of the Origin header back to the client as the Access-Control-Allow-Origin header in the response   With  htaccess you can do it like this     ----------------------------------------------------------------------   Allow loading of external fonts   ----------------------------------------------------------------------  lt FilesMatch     ttf otf eot woff woff2    gt       lt IfModule mod headers c gt          SetEnvIf Origin  http s      www     google com staging google com development google com otherdomain example dev02 otherdomain example    AccessControlAllowOrigin  0         Header add Access-Control-Allow-Origin   AccessControlAllowOrigin e env AccessControlAllowOrigin         Header merge Vary Origin      lt  IfModule gt   lt  FilesMatch gt

User · Answer

Google s support answer on serving ads over SSL and the grammar in the RFC itself would seem to indicate that you can space delimit the URLs  Not sure how well-supported this is in different browsers

User · Answer

Here s an expanded option for apache that includes some of the latest and planned font definitions    lt FilesMatch     ttf otf eot woff woff2 sfnt svg    gt       lt IfModule mod headers c gt          SetEnvIf Origin   http s             domainname1 domainname2 domainname3      com net org    AccessControlAllowOrigin  0 1 2         Header add Access-Control-Allow-Origin   AccessControlAllowOrigin e env AccessControlAllowOrigin         Header set Access-Control-Allow-Credentials true      lt  IfModule gt   lt  FilesMatch gt

User · Answer

And one more answer in Django  To have a single view allow CORS from multiple domains  here is my code   def my view request       if  HTTP ORIGIN  in request META keys   and request META  HTTP ORIGIN   in   http   allowed-unsecure-domain com    https   allowed-secure-domain com                 response   my view response     Create your desired response data  JsonResponse  HttpResponse              Then add CORS headers for access from delivery         response  Access-Control-Allow-Origin     request META  HTTP ORIGIN           response  Access-Control-Allow-Methods      GET     GET  POST  PUT  DELETE  OPTIONS  HEAD          response  Access-Control-Max-Age      1000            response  Access-Control-Allow-Headers                   return response

User · Answer

Maybe I am wrong  but as far as I can see Access-Control-Allow-Origin has an  origin-list  as parameter   By definition an origin-list is   origin               origin      1 WSP    null    origin-list   origin-list         serialized-origin    1 WSP serialized-origin   serialized-origin   scheme       host       port                        lt scheme gt    lt host gt    lt port gt  productions from RFC3986   And from this  I argue different origins are admitted and should be space separated

User · Answer

We can also set this in Global asax file for Asp net application   protected void Application BeginRequest object sender  EventArgs e                enable CORS     HttpContext Current Response AddHeader  Access-Control-Allow-Origin    https   www youtube com

User · Answer

To facilitate multiple domain access for an ASMX service  I created this function in the global asax file   protected void Application BeginRequest object sender  EventArgs e        string CORSServices     account asmx  account2 asmx       if  CORSServices IndexOf HttpContext Current Request Url AbsolutePath   gt  -1                string allowedDomains    http   xxx yyy example http   aaa bbb example            if allowedDomains IndexOf HttpContext Current Request Headers  Origin     gt  -1              HttpContext Current Response AddHeader  Access-Control-Allow-Origin   HttpContext Current Request Headers  Origin              if HttpContext Current Request HttpMethod     OPTIONS               HttpContext Current Response End              This allows for CORS handling of OPTIONS verb also

User · Answer

Only a single origin can be specified for the Access-Control-Allow-Origin header  But you can set the origin in your response according to the request  Also don t forget to set the Vary header  In PHP I would do the following                  Enable CORS for the passed origins         Adds the Access-Control-Allow-Origin header to the response with the origin that matched the one in the request          param array  origins         return string null returns the matched origin or null             function allowOrigins  origins                 val     SERVER  HTTP ORIGIN      null          if  in array  val   origins  true                 header  Access-Control-Allow-Origin     val               header  Vary  Origin                 return  val                     return null           if  allowOrigins   http   localhost    https   localhost             echo your response here  e g  token

User · Answer

HTTP ORIGIN is not used by all browsers   How secure is HTTP ORIGIN  For me it comes up empty in FF  I have the sites that I allow access to my site send over a site ID  I then check my DB for the record with that id and get the SITE URL column value  www yoursite com      header  Access-Control-Allow-Origin  http      row  SITE URL       Even if the send over a valid site ID the request needs to be from the domain listed in my DB associated with that site ID

[.htaccess] Access-Control-Allow-Origin Multiple Origin Domains?

Examples related to .htaccess

Examples related to http

Examples related to cors

Examples related to xmlhttprequest

Examples related to cross-domain