Access-Control-Allow-Origin syntax

Question

I want allow Cross-origin resource sharing from all the sub-domain of from.example.com. So I added Cross-origin resource sharing header as given below to a page in

Answer 1

Wildcards are not allowed in the Access-Control-Allow-Origin header. It has to be an exact match. You can either allow all domains by setting the value to *, or conditionally echo the value of the Origin request header if it matches one of your allowed domains.

Note that the Origin spec allows for multiple origins separated by a space. However I am not sure if this works with the Access-Control-Allow-Origin header. It may be worth a try.