Thursday, May 24, 2012

Access-Control-Allow-Origin Multiple Origin Domains?


Is there a way to allow multiple cross-domains using the Access-Control-Allow-Origin header?



I'm aware of the *, but it is too open. I really want to allow just a couple domains.



As an example, something like this:




Access-Control-Allow-Origin: http://domain1.com, http://domain2.com



I have tried the above code but it doesn't seem to work in Firefox.



Is it possible to specify multiple domains or am I stuck with just one?


Source: Tips4all

5 comments:

  1. Sounds like the recommended way to do it is to have your server read the Origin header from the client, compare that to the list of domains you'd like to allow, and if it matches, echo the value of the Origin header back to the client as the Access-Control-Allow-Origin header in the response.

    ReplyDelete
  2. I had the same problem with woff-fonts, multiple subdomains had to have acces. To allow subdomains I added something lige this to my httpd.conf:

    SetEnvIf Origin "^(.*\.example\.com)$" ORIGIN_SUB_DOMAIN=$1
    <FilesMatch "\.woff$">
    Header set Access-Control-Allow-Origin "%{ORIGIN_SUB_DOMAIN}e" env=ORIGIN_SUB_DOMAIN
    </FilesMatch>


    For multiple domains you could just change the regex in SetEnvIf

    ReplyDelete
  3. There is one disadvantage you should be aware of: As soon as you out-source files to a CDN (or any other server which doesn't allow scripting) or if your files are cached on a proxy, altering response based on 'Origin' request header will not work.

    ReplyDelete
  4. According to the W3C RFC see here
    you should be able to seperate them with a space

    so in your example:

    Access-Control-Allow-Origin: http://domain1.com http://domain2.com


    Sadly, I have tested this on FF and it doesn't work :-(

    ReplyDelete
  5. Delimit them with a pipe character rather than a comma, as in this example:

    https://developer.mozilla.org/En/HTTP_Access_Control

    ReplyDelete