header('Access-Control-Allow-Origin: *'); Not allowing CORS request

Question

I have a PHP file which generates a JSON document.

I've set the header as follows but am still getting an error.

header('Access-Control-Allow-Origin: *');
header('Content-Type: application/json');

Error message:

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://mysubdomain.mydomain.com' is therefore not allowed access.

I've tried explictly allowing mysubdomain.mydomain.com using

header('Access-Control-Allow-Origin: https://mysubdomain.mydomain.com');

But I still get the error.

Answer 1

with htaccess file you can try to set :

Header always set Access-Control-Allow-Methods "POST, GET, PUT, OPTIONS, PATCH,DELETE"
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Credentials "true"
Header always set Access-Control-Allow-Headers "content-type,Authorization,Cache-Control,X-Requested-With, X-XSRF-TOKEN"

Or with PHP:

header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE');
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Allow-Headers: Authorization, Content-Type, x-xsrf-token, x_csrftoken, Cache-Control, X-Requested-With');

Answer 2

Such a situation may arise when an error occurs on the requested page. In this case the error page sets headers, that likely has no Access-Control-Allow-Origin header.

Answer 3

It doesn't look there is anything wrong with the code that sets the header, but you may want to check if the header is actually being set. Use curl -i http://yourapp to check the response headers being sent to debug it. Alternatively, you can use the network tab in Google Chrome's web inspector, or the Network tool in Firefox's Web Developer tools.