Access-Control-Allow-Origin Multiple Origin Domains?
Is there a way to allow multiple cross-domains using the Access-Control-Allow-Origin header?
I\'m aware of the *, but it is too open. I rea
-
Only a single origin can be specified for the Access-Control-Allow-Origin header. But you can set the origin in your response according to the request. Also don't forget to set the Vary header. In PHP I would do the following:
/** * Enable CORS for the passed origins. * Adds the Access-Control-Allow-Origin header to the response with the origin that matched the one in the request. * @param array $origins * @return string|null returns the matched origin or null */ function allowOrigins($origins) { $val = $_SERVER['HTTP_ORIGIN'] ?? null; if (in_array($val, $origins, true)) { header('Access-Control-Allow-Origin: '.$val); header('Vary: Origin'); return $val; } return null; } if (allowOrigins(['http://localhost', 'https://localhost'])) { echo your response here, e.g. token }讨论(0) -
There is one disadvantage you should be aware of: As soon as you out-source files to a CDN (or any other server which doesn't allow scripting) or if your files are cached on a proxy, altering response based on 'Origin' request header will not work.
讨论(0) -
Maybe I am wrong, but as far as I can see
Access-Control-Allow-Originhas an"origin-list"as parameter.By definition an
origin-listis:origin = "origin" ":" 1*WSP [ "null" / origin-list ] origin-list = serialized-origin *( 1*WSP serialized-origin ) serialized-origin = scheme "://" host [ ":" port ] ; <scheme>, <host>, <port> productions from RFC3986And from this, I argue different origins are admitted and should be space separated.
讨论(0) -
For Nginx users to allow CORS for multiple domains. I like the @marshall's example although his anwers only matches one domain. To match a list of domain and subdomain this regex make it ease to work with fonts:
location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ { if ( $http_origin ~* (https?://(.+\.)?(domain1|domain2|domain3)\.(?:me|co|com)$) ) { add_header "Access-Control-Allow-Origin" "$http_origin"; } }This will only echo "Access-Control-Allow-Origin" headers that matches with the given list of domains.
讨论(0) -
If you try so many code examples like me to make it work using CORS, it is worth to mention that you have to clear your cache first to try if it actually works, similiar to issues like when old images are still present, even if it's deleted on the server (because it is still saved in your cache).
For example CTRL + SHIFT + DEL in Google Chrome to delete your cache.
This helped me using this code after trying many pure
.htaccesssolutions and this seemed the only one working (at least for me):Header add Access-Control-Allow-Origin "http://google.com" Header add Access-Control-Allow-Headers "authorization, origin, user-token, x-requested-with, content-type" Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS" <FilesMatch "\.(ttf|otf|eot|woff)$"> <IfModule mod_headers.c> SetEnvIf Origin "http(s)?://(www\.)?(google.com|staging.google.com|development.google.com|otherdomain.com|dev02.otherdomain.net)$" AccessControlAllowOrigin=$0 Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin </IfModule> </FilesMatch>Also note that it is widely spread that many solutions say you have to type
Header set ...but it isHeader add .... Hope this helps someone having the same troubles for some hours now like me.讨论(0) -
I had the same problem with woff-fonts, multiple subdomains had to have access. To allow subdomains I added something like this to my httpd.conf:
SetEnvIf Origin "^(.*\.example\.com)$" ORIGIN_SUB_DOMAIN=$1 <FilesMatch "\.woff$"> Header set Access-Control-Allow-Origin "%{ORIGIN_SUB_DOMAIN}e" env=ORIGIN_SUB_DOMAIN </FilesMatch>For multiple domains you could just change the regex in
SetEnvIf.讨论(0)
加载中...
- 热议问题