Access-Control-Allow-Origin for multiple domains, in an easier way

StackOverflow https://stackoverflow.com/questions/19519028

Question 

header('Access-Control-Allow-Origin: http://splash.example.com');
header('Access-Control-Allow-Credentials: true');

Hello again Stackoverflow!

On my website, I have an ajax file ajax.php, where I need multiple (sub) domains to access it and fire requests.

The problem is that it works for splash.example.com and example.com with the solution posted above, and this in the request:

$.ajax({
    ...

    crossDomain: true,
    xhrFields: {
        withCredentials: true
    },

    ...
});

But isn't there an easier way? 'Cause right now it isn't working for www.example.com, even with the solution posted above.

I've tried putting this in my htaccess:

<IfModule mod_headers.c>
    Header add Access-Control-Allow-Origin "http://example.com"
    Header add Access-Control-Allow-Origin "http://www.example.com"
    Header add Access-Control-Allow-Origin "http://splash.example.com"
    Header set Access-Control-Allow-Credentials true
</IfModule>

but this didn't work somehow.

Can you guys help me?

Was it helpful?

Solution

The preferred method would be to read the request header, find the origin, check it in your server side code. If the domain is allowed to access the page, send back the origin domain in one single Access-Control-Allow-Origin header.

Another pro: No other domain user would see the list of allowed domains. Every user would only see his own domain (if allowed).

OTHER TIPS

Had this issue too several weeks ago and found this great solution.

It allows access to any sub-domain by dynamically looking at the HTTP_Origin header, extracting the sub-domain of the origin host, and using that in the Access-Control-Allow-Origin header.

Just add the following to your .htaccess file:

<IfModule mod_headers.c>
<IfModule mod_rewrite.c>
  # Dynamically change the Access-Control-Allow-Origin header to match the sub-domain the request is coming from
  # Define the root domain that is allowed
  SetEnvIf Origin .+ ACCESS_CONTROL_ROOT=example.com
  # Check that the Origin: matches the defined root domain and capture it in an environment var if it does
  RewriteEngine On
  RewriteCond %{ENV:ACCESS_CONTROL_ROOT} !=""
  RewriteCond %{ENV:ACCESS_CONTROL_ORIGIN} =""
  RewriteCond %{ENV:ACCESS_CONTROL_ROOT}&%{HTTP:Origin} ^([^&]+)&(https?://(?:.+?\.)?\1(?::\d{1,5})?)$
  RewriteRule .* - [E=ACCESS_CONTROL_ORIGIN:%2]
  # Set the response header to the captured value if there was a match
  Header set Access-Control-Allow-Origin %{ACCESS_CONTROL_ORIGIN}e env=ACCESS_CONTROL_ORIGIN

  # Allow credentials to enable cookies being sent cross domain, so the user can stay logged is as long as the session file is available to both domains
  Header set Access-Control-Allow-Credentials "true"

  # Set here the headers needed for the AJAX requests, if a needed header is not in this list you will see an error in Chrome mentioning which header needs to be added here
  Header set Access-Control-Allow-Headers "sender, filename, content-type, accept, x-requested-with, x-request"
</IfModule>
</IfModule>
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top