Access-Control-Allow-Origin Multiple Origin Domains?

前端 未结 30 2095
隐瞒了意图╮
隐瞒了意图╮ 2020-11-21 07:08

Is there a way to allow multiple cross-domains using the Access-Control-Allow-Origin header?

I\'m aware of the *, but it is too open. I rea

相关标签:
30条回答
  • 2020-11-21 07:20

    For a fairly easy copy / paste for .NET applications, I wrote this to enable CORS from within a global.asax file. This code follows the advice given in the currently accepted answer, reflecting whatever origin back is given in the request into the response. This effectively achieves '*' without using it.

    The reason for this is that it enables multiple other CORS features, including the ability to send an AJAX XMLHttpRequest with the 'withCredentials' attribute set to 'true'.

    void Application_BeginRequest(object sender, EventArgs e)
    {
        if (Request.HttpMethod == "OPTIONS")
        {
            Response.AddHeader("Access-Control-Allow-Methods", "GET, POST");
            Response.AddHeader("Access-Control-Allow-Headers", "Content-Type, Accept");
            Response.AddHeader("Access-Control-Max-Age", "1728000");
            Response.End();
        }
        else
        {
            Response.AddHeader("Access-Control-Allow-Credentials", "true");
    
            if (Request.Headers["Origin"] != null)
                Response.AddHeader("Access-Control-Allow-Origin" , Request.Headers["Origin"]);
            else
                Response.AddHeader("Access-Control-Allow-Origin" , "*");
        }
    }
    
    0 讨论(0)
  • 2020-11-21 07:20

    To facilitate multiple domain access for an ASMX service, I created this function in the global.asax file:

    protected void Application_BeginRequest(object sender, EventArgs e)
    {
        string CORSServices = "/account.asmx|/account2.asmx";
        if (CORSServices.IndexOf(HttpContext.Current.Request.Url.AbsolutePath) > -1)
        {
            string allowedDomains = "http://xxx.yyy.example|http://aaa.bbb.example";
    
            if(allowedDomains.IndexOf(HttpContext.Current.Request.Headers["Origin"]) > -1)
                HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", HttpContext.Current.Request.Headers["Origin"]);
    
            if(HttpContext.Current.Request.HttpMethod == "OPTIONS")
                HttpContext.Current.Response.End();
        }
    }
    

    This allows for CORS handling of OPTIONS verb also.

    0 讨论(0)
  • 2020-11-21 07:22

    Another solution I'm using in PHP:

    $http_origin = $_SERVER['HTTP_ORIGIN'];
    
    if ($http_origin == "http://www.domain1.com" || $http_origin == "http://www.domain2.com" || $http_origin == "http://www.domain3.com")
    {  
        header("Access-Control-Allow-Origin: $http_origin");
    }
    
    0 讨论(0)
  • 2020-11-21 07:23

    Here's an expanded option for apache that includes some of the latest and planned font definitions:

    <FilesMatch "\.(ttf|otf|eot|woff|woff2|sfnt|svg)$">
        <IfModule mod_headers.c>
            SetEnvIf Origin "^http(s)?://(.+\.)?(domainname1|domainname2|domainname3)\.(?:com|net|org)$" AccessControlAllowOrigin=$0$1$2
            Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
            Header set Access-Control-Allow-Credentials true
        </IfModule>
    </FilesMatch>
    
    0 讨论(0)
  • 2020-11-21 07:23

    Google's support answer on serving ads over SSL and the grammar in the RFC itself would seem to indicate that you can space delimit the URLs. Not sure how well-supported this is in different browsers.

    0 讨论(0)
  • 2020-11-21 07:25

    This worked for me:

    SetEnvIf Origin "^http(s)?://(.+\.)?(domain\.example|domain2\.example)$" origin_is=$0 
    Header always set Access-Control-Allow-Origin %{origin_is}e env=origin_is
    

    When put in .htaccess, it will work for sure.

    0 讨论(0)
提交回复
热议问题