Firebase Hosting How to put multiple links in Access Control Allow Origin Header

Question

So I am limiting the amount of sites that can access my website. I found there's a header option in Firebase Hosting section. I have two questions. First is how to put multiple links in the value of this header. Say for example, I want to allow Google and YouTube to access my site's resources. My other question is by replacing the .@(eot....) to just an asterisk, will the header be the same for all the files included in this directory?

"headers": [ {
    "source" : "**/*.@(eot|otf|ttf|ttc|woff|font.css)",
    "headers" : [ {
      "key" : "Access-Control-Allow-Origin",
      "value" : "*"
    } ]
  }

I already tried placing this inside value but I have no luck in making it work as I get an error message.

// attempt 1
PROJECTNAMEANDCODEHERE.firebaseapp.com https://us-central1-PROJECTNAMEANDCODEHERE.cloudfunctions.net

// attempt 2
PROJECTNAMEANDCODEHERE.firebaseapp.com, https://us-central1-PROJECTNAMEANDCODEHERE.cloudfunctions.net

Error:

Note: I re-upload my headers every time I make an update on the firebase.json file. Please do not reference me with Firebase Cloud as I am NOT working with it.

Answer 1

Access-Control-Allow-Origin supports two values.

• * to allow any site.
• <origin> to allow that specific origin access.

If you want https://app.example.com to be allowed the response value must be https://app.example.com.

Multiple values are not supported. If you want a limited number of allowed origins, the server must parse the Origin header of incoming requests and dynamically set the the ACAO response header.

Firebase Hosting does not allow for this dynamic setup without the use of Functions.