Rectangle 27 1

http Access Control Allow Origin Multiple Origin Domains?


SetEnvIf Origin "^http(s)?://(.+\.)?(domain\.org|domain2\.com)$" origin_is=$0 
Header always set Access-Control-Allow-Origin %{origin_is}e env=origin_is

Great answer, should be the accepted answer since it provides the solution as well!

Of the several answers all around stackoverflow, this was the one that worked.

This is a great solution, thanks.

put in .htaccess

Note
Rectangle 27 1

http Access Control Allow Origin Multiple Origin Domains?


# ----------------------------------------------------------------------
# Allow loading of external fonts
# ----------------------------------------------------------------------
<FilesMatch "\.(ttf|otf|eot|woff)$">
    <IfModule mod_headers.c>
        SetEnvIf Origin "http(s)?://(www\.)?(google.com|staging.google.com|development.google.com|otherdomain.net|dev02.otherdomain.net)$" AccessControlAllowOrigin=$0
        Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    </IfModule>
</FilesMatch>

@saturdayplace, if you have access to the Origin header, you are past CORS.

If caches or CDNs are a concern, use the Vary header to tell the cache/CDN to keep separate responses for different Origin request header values. You would include a header like "Vary: Origin" in your response. The cache/CDN then knows that it should send one response to a request with header "Origin: foo.example.com, and a different response to a request with header "Origin: bar.example.com.

My problem with this answer is it doesn't really help me, because we use a CDN, and obviously we can't control how the CDN sets headers programatically.

Sounds like the recommended way to do it is to have your server read the Origin header from the client, compare that to the list of domains you'd like to allow, and if it matches, echo the value of the Origin header back to the client as the Access-Control-Allow-Origin header in the response.

With .htaccess you can do it like this:

Note
Rectangle 27 1

http Access Control Allow Origin Multiple Origin Domains?


SetEnvIf Origin "^http(s)?://(.+\.)?(domain\.org|domain2\.com)$" origin_is=$0 
Header always set Access-Control-Allow-Origin %{origin_is}e env=origin_is

Great answer, should be the accepted answer since it provides the solution as well!

Of the several answers all around stackoverflow, this was the one that worked.

This is a great solution, thanks.

put in .htaccess

Note
Rectangle 27 1

http Access Control Allow Origin Multiple Origin Domains?


$request_headers        = apache_request_headers();
$http_origin            = $request_headers['Origin'];
$allowed_http_origins   = array(
                            "http://myDumbDomain.com"   ,
                            "http://anotherDumbDomain.com"  ,
                            "http://localhost"  ,
                          );
if (in_array($http_origin, $allowed_http_origins)){  
    @header("Access-Control-Allow-Origin: " . $http_origin);
}

Here is what i did for a PHP application which is being requested by AJAX

If the requesting origin is allowed by my server, return the $http_origin itself as value of the Access-Control-Allow-Origin header instead of returning a * wildcard,

Note
Rectangle 27 1

http Access Control Allow Origin Multiple Origin Domains?


# ----------------------------------------------------------------------
# Allow loading of external fonts
# ----------------------------------------------------------------------
<FilesMatch "\.(ttf|otf|eot|woff)$">
    <IfModule mod_headers.c>
        SetEnvIf Origin "http(s)?://(www\.)?(google.com|staging.google.com|development.google.com|otherdomain.net|dev02.otherdomain.net)$" AccessControlAllowOrigin=$0
        Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    </IfModule>
</FilesMatch>

@saturdayplace, if you have access to the Origin header, you are past CORS.

If caches or CDNs are a concern, use the Vary header to tell the cache/CDN to keep separate responses for different Origin request header values. You would include a header like "Vary: Origin" in your response. The cache/CDN then knows that it should send one response to a request with header "Origin: foo.example.com, and a different response to a request with header "Origin: bar.example.com.

My problem with this answer is it doesn't really help me, because we use a CDN, and obviously we can't control how the CDN sets headers programatically.

Sounds like the recommended way to do it is to have your server read the Origin header from the client, compare that to the list of domains you'd like to allow, and if it matches, echo the value of the Origin header back to the client as the Access-Control-Allow-Origin header in the response.

With .htaccess you can do it like this:

Note
Rectangle 27 1

http Access Control Allow Origin Multiple Origin Domains?


# ----------------------------------------------------------------------
# Allow loading of external fonts
# ----------------------------------------------------------------------
<FilesMatch "\.(ttf|otf|eot|woff)$">
    <IfModule mod_headers.c>
        SetEnvIf Origin "http(s)?://(www\.)?(google.com|staging.google.com|development.google.com|otherdomain.net|dev02.otherdomain.net)$" AccessControlAllowOrigin=$0
        Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    </IfModule>
</FilesMatch>

@saturdayplace, if you have access to the Origin header, you are past CORS.

If caches or CDNs are a concern, use the Vary header to tell the cache/CDN to keep separate responses for different Origin request header values. You would include a header like "Vary: Origin" in your response. The cache/CDN then knows that it should send one response to a request with header "Origin: foo.example.com, and a different response to a request with header "Origin: bar.example.com.

My problem with this answer is it doesn't really help me, because we use a CDN, and obviously we can't control how the CDN sets headers programatically.

Sounds like the recommended way to do it is to have your server read the Origin header from the client, compare that to the list of domains you'd like to allow, and if it matches, echo the value of the Origin header back to the client as the Access-Control-Allow-Origin header in the response.

With .htaccess you can do it like this:

Note
Rectangle 27 1

http Access Control Allow Origin Multiple Origin Domains?


location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
   if ( $http_origin ~* (https?://(.+\.)?(domain1|domain2|domain3)\.(?:me|co|com)$) ) {
      add_header "Access-Control-Allow-Origin" "$http_origin";
   }
}

For Nginx users to allow CORS for multiple domains. I like the @marshall's example although his anwers only matches one domain. To match a list of domain and subdomain this regex make it ease to work with fonts:

This will only echo "Access-Control-Allow-Origin" headers that matches with the given list of domains.

Note
Rectangle 27 1

http Access Control Allow Origin Multiple Origin Domains?


@Provider
public class CORSResponseFilter implements ContainerResponseFilter{

@Override
public ContainerResponse filter(ContainerRequest request,
        ContainerResponse response) {

    String[] allowDomain = {"http://localhost:9000","https://my.domain.com"};
    Set<String> allowedOrigins = new HashSet<String>(Arrays.asList (allowDomain));                  

    String originHeader = request.getHeaderValue("Origin");

    if(allowedOrigins.contains(originHeader)) {
        response.getHttpHeaders().add("Access-Control-Allow-Origin", originHeader);

        response.getHttpHeaders().add("Access-Control-Allow-Headers",
                "origin, content-type, accept, authorization");
        response.getHttpHeaders().add("Access-Control-Allow-Credentials", "true");
        response.getHttpHeaders().add("Access-Control-Allow-Methods",
                "GET, POST, PUT, DELETE, OPTIONS, HEAD");
    }

    return response;
}

}

The Above Link is Expired, can you add new one, or update answer with more details, Thanks

Note
Rectangle 27 1

http Access Control Allow Origin Multiple Origin Domains?


location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
   if ( $http_origin ~* (https?://(.+\.)?(domain1|domain2|domain3)\.(?:me|co|com)$) ) {
      add_header "Access-Control-Allow-Origin" "$http_origin";
   }
}

For Nginx users to allow CORS for multiple domains. I like the @marshall's example although his anwers only matches one domain. To match a list of domain and subdomain this regex make it ease to work with fonts:

This will only echo "Access-Control-Allow-Origin" headers that matches with the given list of domains.

Note
Rectangle 27 1

http Access Control Allow Origin Multiple Origin Domains?


@Provider
public class CORSResponseFilter implements ContainerResponseFilter{

@Override
public ContainerResponse filter(ContainerRequest request,
        ContainerResponse response) {

    String[] allowDomain = {"http://localhost:9000","https://my.domain.com"};
    Set<String> allowedOrigins = new HashSet<String>(Arrays.asList (allowDomain));                  

    String originHeader = request.getHeaderValue("Origin");

    if(allowedOrigins.contains(originHeader)) {
        response.getHttpHeaders().add("Access-Control-Allow-Origin", originHeader);

        response.getHttpHeaders().add("Access-Control-Allow-Headers",
                "origin, content-type, accept, authorization");
        response.getHttpHeaders().add("Access-Control-Allow-Credentials", "true");
        response.getHttpHeaders().add("Access-Control-Allow-Methods",
                "GET, POST, PUT, DELETE, OPTIONS, HEAD");
    }

    return response;
}

}

The Above Link is Expired, can you add new one, or update answer with more details, Thanks

Note