Reputation: 7048
Access-Control-Allow-Origin syntax
I want allow Cross-origin resource sharing from all the sub-domain of from.example.com. So I added Cross-origin resource sharing header as given below to a page in subdomain1.to.example.com.
<?php header('Access-Control-Allow-Origin: *.from.example.com');
And I tried to access the page form subdomain1.from.example.com using ajax. I didn't get the response. So I just changed the above header as given below.
<?php header('Access-Control-Allow-Origin: http://subdomain1.from.example.com');
It works well for the subdomain1.from.example.com only.
What was the issue with first header?
Upvotes: 12
Views: 14703
Answers (1)
Reputation: 47987
Wildcards are not allowed in the Access-Control-Allow-Origin header. It has to be an exact match. You can either allow all domains by setting the value to *, or conditionally echo the value of the Origin request header if it matches one of your allowed domains.
Note that the Origin spec allows for multiple origins separated by a space. However I am not sure if this works with the Access-Control-Allow-Origin header. It may be worth a try.
Upvotes: 18
Related Questions
- how to bypass Access-Control-Allow-Origin?
- Origin is not allowed by Access-Control-Allow-Origin
- CORS / Access-Control-Allow-Origin
- CORS not working php
- Access-Control-Allow-Origin in htaccess
- PHP-AJAX CORS Fails due to Access-Control-Allow-Origin
- Mindblowing - 'Access-Control-Allow-Origin' issue
- PHP Access-Control-Allow-Origin header not working
- Issue with Access-Control-Allow-Origin on server
- How do I use Access-Control-Allow-Origin?