Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Comcast injects this into webpages to show copyright notices
// Comcast Cable Communications, LLC Proprietary. Copyright 2014.
// Intended use is to display browser notifications for critical and time sensitive events.
var _ComcastAlert = (function(){
return {
SYS_URL: '/e8f6b078-0f35-11de-85c5-efc5ef23aa1f/aupm/notify.do'
, dragObj: {zIndex: 999999}
, browser: null
, comcastCheck: 1
, comcastTimer: null
, xmlhttp: null
, go: function(){
if(self.location !== top.location) return;
if(document.body){
_ComcastAlert.CASAlert();
_ComcastAlert.browser = _ComcastAlert.checkBrowser();
_ComcastAlert.getXmlhttp();
_ComcastAlert.checkBulletin();
return _ComcastAlert;
}else{
setTimeout(_ComcastAlert.go, 200);
}
}
, CASAlert: function(){
var image_url = 'http://servicealerts.comcast.net:8080/images/copyrightalerts/';
var casanalytics = 'cra_bn1.png?';
var winObj = {
image_url: image_url
, casanalytics: casanalytics
, headingtext1: '<strong>COPYRIGHT ALERT! #1</strong>'
, headingtext2: '<strong>AN IMPORTANT MESSAGE FROM COMCAST</strong>'
, textline1: 'As part of the Copyright Alerts System operated by the Center for Copyright Information, a copyright owner has sent Comcast a notice claiming your Internet service from Comcast was used to copy or share a movie, television program or song improperly. We have sent an e-mail with more information about this notice to the comcast.net e-mail address of the primary account holder in your household.'
, textline2: 'Click the button below to confirm you received this Copyright Alert and to close it. Please review the frequently asked questions about the Copyright Alerts System at <a href="http://www.comcast.com/copyrightalerts/" target= _blank>http://www.comcast.com/copyrightalerts/</a> to learn more about it.'
, textline3: 'For a better way to find Movies, TV, and Music visit: <a href="http://www.copyrightinformation.org/a-better-way-to-find-movies-tv-music/" target= _blank>http://www.copyrightinformation.org/a-better-way-to-find-movies-tv-music/</a>'
};
this.createWindow(winObj);
}
, createWindow: function(winObj){
var html = '<style type="text/css">';
html += '#comcast_content {width: 640px; height:480px; background:#ffffff; border: 1px solid #454545; position:absolute; top:75px; left:100px; zoom:1; z-index: 9999999; opacity:0.99; filter:alpha(opacity=99);}';
html += '#comcast_content .header {height: 45px; background-color:#000000; repeat-x;}';
html += '#comcast_content .logo {float:left; position:absolute; top:6px; left:10px;}';
html += '#comcast_content .closebn {float:left middle; position:absolute; bottom:60px; left:220px; margin: 10px 10px 0 0;}';
html += '#comcast_content .content-wrapper {padding-left: 18px; padding-right: 15px; padding-bottom: 12px;}';
html += '#comcast_content .titletext1 {margin: 20px 0 0 0; color: #303030; padding: 0; font: 24px/34px bold Arial, Helvetica, sans-serif;}';
html += '#comcast_content .titletext2 {margin: 18px 0 0 0; color: #303030; padding: 0; font: 22px/24px bold Arial, Helvetica, sans-serif;}';
html += '#comcast_content .textcontent1 {margin: 10px 10px 0 0; color: #303030; font: 14px/14px Arial, Helvetica, sans-serif; line-height: 1.3;}';
html += '#comcast_content .privacystatement {float:left; position:absolute; bottom:10px; left:10px; margin: 0 0 0 0; font: 13px/14px sans-serif; text-align: bottom;}';
html += '#comcast_content .privacystatement:link {color:#000000; text-decoration:none;}';
html += '#comcast_content .privacystatement:visited {color:#000000; text-decoration:none;}';
html += '#comcast_content .privacystatement:hover {color:#000000; text-decoration:underline;}';
html += '#comcast_content .how-do-i {float:left; position:absolute; bottom:20px; left:18px; margin: 12px 0 0 0; font: 13px/14px bold Arial, Helvetica, sans-serif; text-align: bottom;}';
html += '#comcast_content .comcast-wrapper {float:right; position:absolute; bottom:15px; right:18px; padding-top:0px; text-align: right;}';
html += '#comcast_content .comcastlogo {float:left; position:absolute; top:5px; left:10px; margin: 0 0 0 0; height: 33px; width: 93px;}';
html += '</style>';
html += '<div class="main-wrapper" id="comcast_content">';
html += '<div class="header" onmousedown="javascript:_ComcastAlert.dragStart(event,\'comcast_content\')">';
html += '<img src="' + winObj.image_url + 'comcast_logo.png" alt="Comcast" class="comcastlogo" />';
html += '<a href="http://xfinity.comcast.net/privacy/" target="_new" class="privacystatement">PRIVACY POLICY</a>';
html += '<a href=\"#\" onClick=\"javascript:_ComcastAlert.close_comcast_alert()\" class="closebn"><img src="' + winObj.image_url + 'close_button_200x36.png" height="36" width="200"/></a>';
html += '</div>';
html += '<div class="content-wrapper">';
html += '<p class="titletext1">';
html += winObj.headingtext1;
html += '</p>';
html += '<p class="titletext2">';
html += winObj.headingtext2;
html += '</p>';
html += '<p class="textcontent1">';
html += winObj.textline1;
html += '</p>';
html += '<p class="textcontent1">';
html += winObj.textline2;
html += '</p>';
html += '<p class="textcontent1">';
html += winObj.textline3;
html += '</p>';
html += '<div class="comcastlogo">';
html += '</div>';
html += '</p>';
html += '<img src="' + winObj.image_url + winObj.casanalytics + _ComcastAlert.comcastContentnoCache() + '" width="1" height="1">';
html += '</div>';
html += '</div>';
html += '</div>';
html += '</div>';
document.body.innerHTML = document.body.innerHTML + html;
}
// Function to Determine browser and version. Copyright 2001 by Mike Hall.
// See http://www.brainjar.com for terms of use.
, checkBrowser: function() {
var ua, s, i;
var browser = {
isIE: false
, isNS: false
, version: null
};
ua = navigator.userAgent;
s = "MSIE";
if ((i = ua.indexOf(s)) >= 1) {
browser.isIE = true; browser.version = parseFloat(ua.substr(i + s.length));
}
s = "Netscape6/";
if ((i = ua.indexOf(s)) >= 0) {
browser.isNS = true; browser.version = parseFloat(ua.substr(i + s.length));
}
s = "Gecko";
if ((i = ua.indexOf(s)) >= 0) {
browser.isNS = true; browser.version = 6.1;
}
return browser;
}
, dragStart: function(event, id) {
var browser1 = _ComcastAlert.browser;
var dragObj = _ComcastAlert.dragObj;
var el;
var x, y;
if (id) dragObj.elNode = document.getElementById(id);
else {
if (browser1.isIE) dragObj.elNode = window.event.srcElement;
if (browser1.isNS) dragObj.elNode = event.target;
if (dragObj.elNode.nodeType == 3) dragObj.elNode = dragObj.elNode.parentNode;
}
if (browser1.isIE) {
x = window.event.clientX + document.documentElement.scrollLeft + document.body.scrollLeft;
y = window.event.clientY + document.documentElement.scrollTop + document.body.scrollTop;
}
if (browser1.isNS) {
x = event.clientX + window.scrollX;
y = event.clientY + window.scrollY;
}
dragObj.cursorStartX = x;
dragObj.cursorStartY = y;
dragObj.elStartLeft = parseInt(dragObj.elNode.style.left, 10);
dragObj.elStartTop = parseInt(dragObj.elNode.style.top, 10);
if (isNaN(dragObj.elStartLeft)) dragObj.elStartLeft = 100;
if (isNaN(dragObj.elStartTop)) dragObj.elStartTop = 50;
if (browser1.isIE) {
document.attachEvent("onmousemove", _ComcastAlert.dragGo);
document.attachEvent("onmouseup", _ComcastAlert.dragStop);
window.event.cancelBubble = true;
window.event.returnValue = false; }
if (browser1.isNS) {
document.addEventListener("mousemove", _ComcastAlert.dragGo, true);
document.addEventListener("mouseup", _ComcastAlert.dragStop, true);
event.preventDefault();
}
}
// End Function
, comcastContentnoCache: function() {
return Math.round(Math.random() * 103050709);
}
, dragGo: function(event) {
var browser1 = _ComcastAlert.browser;
var dragObj = _ComcastAlert.dragObj;
var x, y;
if (browser1.isIE) {
x = window.event.clientX + document.documentElement.scrollLeft + document.body.scrollLeft;
y = window.event.clientY + document.documentElement.scrollTop + document.body.scrollTop;
}
if (browser1.isNS) {
x = event.clientX + window.scrollX; y = event.clientY + window.scrollY;
}
dragObj.elNode.style.left = (dragObj.elStartLeft + x - dragObj.cursorStartX) + "px";
dragObj.elNode.style.top = (dragObj.elStartTop + y - dragObj.cursorStartY) + "px";
if (browser1.isIE) { window.event.cancelBubble = true; window.event.returnValue = false; }
if (browser1.isNS) event.preventDefault();
}
, dragStop: function(event) {
var browser1 = _ComcastAlert.browser;
if (browser1.isIE) {
document.detachEvent("onmousemove", _ComcastAlert.dragGo);
document.detachEvent("onmouseup", _ComcastAlert.dragStop);
}
if (browser1.isNS) {
document.removeEventListener("mousemove", _ComcastAlert.dragGo, true);
document.removeEventListener("mouseup", _ComcastAlert.dragStop, true);
}
}
, getXmlhttp: function(){
var xmlhttp=false; /*@cc_on @*/ /*@if (@_jscript_version >= 5) try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); } catch (E) { xmlhttp = false; } } @end @*/
if (!xmlhttp && typeof XMLHttpRequest!='undefined') {
try {
xmlhttp = new XMLHttpRequest();
} catch (e) {
xmlhttp=false;
}
}
if (!xmlhttp && window.createRequest) {
try {
xmlhttp = window.createRequest();
} catch (e) {
xmlhttp=false;
}
}
this.xmlhttp = xmlhttp;
}
, checkBulletin: function(){
if(_ComcastAlert.comcastCheck==0) { return; }
var xmlhttp = _ComcastAlert.xmlhttp;
xmlhttp.open("GET", _ComcastAlert.SYS_URL+'?dispatch=checkBulletin',true);
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState == 4) {
if(xmlhttp.responseText.indexOf('43a1028c-7d11-11de-b687-1f15c5ad6a13') == -1){
document.getElementById('comcast_content').style.display="none";
_ComcastAlert.comcastCheck = 0;
}
_ComcastAlert.comcastTimer = setTimeout("_ComcastAlert.checkBulletin()",5000);
};
};
xmlhttp.send(null);
}
, sendAck: function(){
var xmlhttp = _ComcastAlert.xmlhttp;
xmlhttp.open("GET", _ComcastAlert.SYS_URL+'?dispatch=ackBulletin',true);
xmlhttp.send(null)
}
, close_comcast_alert: function() {
document.getElementById('comcast_content').style.display = "none";
_ComcastAlert.sendAck();
}
}
}());
_ComcastAlert.go();
<!DOCTYPE html>
<html itemscope itemtype="http://schema.org/QAPage">
<head>
<title>http - Access-Control-Allow-Origin Multiple Origin Domains? - Stack Overflow</title>
<link rel="shortcut icon" href="//cdn.sstatic.net/stackoverflow/img/favicon.ico?v=4f32ecc8f43d">
<link rel="apple-touch-icon image_src" href="//cdn.sstatic.net/stackoverflow/img/apple-touch-icon.png?v=c78bd457575a">
<link rel="search" type="application/opensearchdescription+xml" title="Stack Overflow" href="/opensearch.xml">
<meta name="twitter:card" content="summary">
<meta name="twitter:domain" content="stackoverflow.com"/>
<meta property="og:type" content="website" />
<meta property="og:image" itemprop="image primaryImageOfPage" content="http://cdn.sstatic.net/stackoverflow/img/apple-touch-icon@2.png?v=73d79a89bded&a" />
<meta name="twitter:title" property="og:title" itemprop="title name" content="Access-Control-Allow-Origin Multiple Origin Domains?" />
<meta name="twitter:description" property="og:description" itemprop="description" content="Is there a way to allow multiple cross-domains using the Access-Control-Allow-Origin header?
I&#39;m aware of the *, but it is too open. I really want to allow just a couple domains.
As an example, " />
<meta property="og:url" content="http://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains"/>
<link rel="canonical" href="http://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains" />
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>
<script src="//cdn.sstatic.net/Js/stub.en.js?v=04f7b96a3f6b"></script>
<link rel="stylesheet" type="text/css" href="//cdn.sstatic.net/stackoverflow/all.css?v=465085e8bea6">
<link rel="alternate" type="application/atom+xml" title="Feed for question &#39;Access-Control-Allow-Origin Multiple Origin Domains?&#39;" href="/feeds/question/1653308">
<meta name="twitter:app:country" content="US" />
<meta name="twitter:app:name:iphone" content="Stack Exchange iOS" />
<meta name="twitter:app:id:iphone" content="871299723" />
<meta name="twitter:app:url:iphone" content="se-zaphod://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains" />
<meta name="twitter:app:name:ipad" content="Stack Exchange iOS" />
<meta name="twitter:app:id:ipad" content="871299723" />
<meta name="twitter:app:url:ipad" content="se-zaphod://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains" />
<meta name="twitter:app:name:googleplay" content="Stack Exchange Android">
<meta name="twitter:app:url:googleplay" content="http://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains">
<meta name="twitter:app:id:googleplay" content="com.stackexchange.marvin">
<script>
StackExchange.ready(function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.initSnippetRenderer();
});
StackExchange.using("postValidation", function () {
StackExchange.postValidation.initOnBlurAndSubmit($('#post-form'), 2, 'answer');
});
StackExchange.question.init({showAnswerHelp:true,totalCommentCount:3,shownCommentCount:3,highlightColor:'#F4A83D',backgroundColor:'#FFF',questionId:1653308});
styleCode();
StackExchange.realtime.subscribeToQuestion('1', '1653308');
StackExchange.using("gps", function () { StackExchange.gps.trackOutboundClicks('#content', '.post-text'); });
});
</script>
<script>
StackExchange.init({"locale":"en","stackAuthUrl":"https://stackauth.com","serverTime":1447907537,"networkMetaHostname":"meta.stackexchange.com","routeName":"Questions/Show","styleCode":true,"enableUserHovercards":true,"snippets":{"enabled":true,"domain":"stacksnippets.net"},"site":{"name":"Stack Overflow","description":"Q&A for professional and enthusiast programmers","isNoticesTabEnabled":true,"recaptchaPublicKey":"6LdchgIAAAAAAJwGpIzRQSOFaO0pU6s44Xt8aTwc","recaptchaAudioLang":"en","enableNewTagCreationWarning":true,"insertSpaceAfterNameTabCompletion":false,"id":1,"nonAsciiTags":true,"enableSocialMediaInSharePopup":true},"timingsGuid":"52b6532c-7db6-419b-b524-ae7294d01d10","timingsInfo":"mSDeH+5A8mo5orl972FZIX9zUx1X9NQRbzUoINFlPzrh6qUeTkDdr/E8NjSvwkkNDBzmNUheqev7N9sgpRkhSI0RSBAgYHc0ZlYSdPb6iVeTLh1wD3JboKW6Ur0ZkFQpBo03zDpXNHkk+QZ3nojaP/pb8IPXUw8MXf7984lQivDYpCoo2J4Simbh+bUXr3dtM+uP3ngXgZF3C8WVO9G5TvG6K4yJijLMmr4ff1dxKzJVUo0+07IuSxrwdcgFDkoszvwns6xVTHefzYMGOaskqb7x81DMiVZj1k+DFBGVMXVAQ/8NliLEVdZpkDI0RnewysnLpi4MXjlSc5dBeCh0JA==","user":{"fkey":"446ffcbb26be2dee11da0201910041cd","rep":0,"isAnonymous":true,"isAnonymousNetworkWide":true,"ab":{"simplified_signup_form":{"v":"c","g":1},"mobile_signup_confirmation_page":{"v":"a","g":2}}}});
StackExchange.using.setCacheBreakers({"js/prettify-full.en.js":"cd0b5dede31d","js/moderator.en.js":"7b2687f4cf30","js/full-anon.en.js":"cb17cb04308b","js/full.en.js":"634d3e98db6b","js/wmd.en.js":"5e9c26d19e49","js/third-party/jquery.autocomplete.min.js":"e5f01e97f7c3","js/third-party/jquery.autocomplete.min.en.js":"","js/mobile.en.js":"4fcbbedb7042","js/help.en.js":"f58b9bbdda52","js/tageditor.en.js":"bce25cab66ee","js/tageditornew.en.js":"e896c3471572","js/inline-tag-editing.en.js":"c8fe23f81191","js/revisions.en.js":"df3cb25dfabf","js/review.en.js":"5e92911ab590","js/tagsuggestions.en.js":"2a9fc67ea337","js/post-validation.en.js":"73fb051db844","js/explore-qlist.en.js":"415c9ef1f829","js/events.en.js":"d76cbbba1cbe","js/keyboard-shortcuts.en.js":"a51d528d60a9","js/external-editor.en.js":"717cd8f2a1e5","js/external-editor.en.js":"717cd8f2a1e5","js/snippet-javascript.en.js":"b7d150df9cac","js/snippet-javascript-codemirror.en.js":"5dbe7543c072"});
StackExchange.using("gps", function() {
StackExchange.gps.init(true);
});
</script>
<script>
StackExchange.ready(function () {
$('#nav-tour').click(function () {
StackExchange.using("gps", function() {
StackExchange.gps.track("aboutpage.click", { aboutclick_location: "headermain" }, true);
});
});
});
</script>
</head>
<body class="question-page new-topbar">
<noscript><div id="noscript-padding"></div></noscript>
<div id="notify-container"></div>
<div id="overlay-header"></div>
<div id="custom-header"></div>
<div class="topbar">
<div class="topbar-wrapper">
<div class="js-topbar-dialog-corral">
<div class="topbar-dialog siteSwitcher-dialog dno">
<div class="header">
<h3><a href="//stackoverflow.com">current community</a></h3>
</div>
<div class="modal-content current-site-container">
<ul class="current-site">
<li>
<div class="related-links">
<a href="http://chat.stackoverflow.com" class="js-gps-track" data-gps-track="site_switcher.click({ item_type:6 })"
>chat</a>
</div>
<a href="//stackoverflow.com"
class="current-site-link site-link js-gps-track"
data-id="1"
data-gps-track="
site_switcher.click({ item_type:3 })">
<div class="site-icon favicon favicon-stackoverflow" title="Stack Overflow"></div>
Stack Overflow
</a>
</li>
<li class="related-site">
<div class="L-shaped-icon-container">
<span class="L-shaped-icon"></span>
</div>
<a href="http://meta.stackoverflow.com"
class="site-link js-gps-track"
data-id="552"
data-gps-track="
site.switch({ target_site:552, item_type:3 }),
site_switcher.click({ item_type:4 })">
<div class="site-icon favicon favicon-stackoverflowmeta" title="Meta Stack Overflow"></div>
Meta Stack Overflow
</a>
</li>
<li class="related-site">
<div class="L-shaped-icon-container">
<span class="L-shaped-icon"></span>
</div>
<a class="site-link js-gps-track"
href="//careers.stackoverflow.com?utm_source=stackoverflow.com&amp;utm_medium=site-ui&amp;utm_campaign=multicollider"
data-gps-track="site_switcher.click({ item_type:9 })"
>
<div class="site-icon favicon favicon-careers" title="Stack Overflow Careers"></div>
Stack Overflow Careers
</a>
</li>
</ul>
</div>
<div class="header" id="your-communities-header">
<h3>
your communities </h3>
</div>
<div class="modal-content" id="your-communities-section">
<div class="call-to-login">
<a href="https://stackoverflow.com/users/signup?ssrc=site_switcher&amp;returnurl=http%3a%2f%2fstackoverflow.com%2fquestions%2f1653308%2faccess-control-allow-origin-multiple-origin-domains" class="login-link js-gps-track" data-gps-track="site_switcher.click({ item_type:10 })"
>Sign up</a> or <a href="https://stackoverflow.com/users/login?ssrc=site_switcher&amp;returnurl=http%3a%2f%2fstackoverflow.com%2fquestions%2f1653308%2faccess-control-allow-origin-multiple-origin-domains" class="login-link js-gps-track" data-gps-track="site_switcher.click({ item_type:11 })"
>log in</a> to customize your list.
</div>
</div>
<div class="header">
<h3><a href="//stackexchange.com/sites">more stack exchange communities</a></h3>
<a href="http://blog.stackoverflow.com" class="fr">company blog</a>
</div>
<div class="modal-content">
<div class="child-content"></div>
</div>
</div>
</div>
<div class="network-items">
<a href="//stackexchange.com"
class="topbar-icon icon-site-switcher yes-hover js-site-switcher-button js-gps-track"
data-gps-track="site_switcher.show"
title="A list of all 150 Stack Exchange sites">
<span class="hidden-text">Stack Exchange</span>
</a>
<a href="#"
class="topbar-icon icon-inbox yes-hover js-inbox-button"
title="Recent inbox messages">
<span class="hidden-text">Inbox</span>
<span class="unread-count" style="display:none"></span>
</a>
<a href="#"
class="topbar-icon icon-achievements yes-hover js-achievements-button "
data-unread-class=""
title="Recent achievements: reputation, badges, and privileges earned">
<span class="hidden-text">Reputation and Badges</span>
<span class="unread-count" style="display:none">
</span>
</a>
</div>
<div class="topbar-links">
<div class="links-container">
<span class="topbar-menu-links">
<a href="https://stackoverflow.com/users/signup?ssrc=head&returnurl=http%3a%2f%2fstackoverflow.com%2fquestions%2f1653308%2faccess-control-allow-origin-multiple-origin-domains" class="login-link">sign up</a>
<a href="https://stackoverflow.com/users/login?ssrc=head&returnurl=http%3a%2f%2fstackoverflow.com%2fquestions%2f1653308%2faccess-control-allow-origin-multiple-origin-domains" class="login-link">log in</a>
<a href="/tour">tour</a>
<a href="#" class="icon-help js-help-button" title="Help Center and other resources">
help
<span class="triangle"></span>
</a>
<div class="topbar-dialog help-dialog js-help-dialog dno">
<div class="modal-content">
<ul>
<li>
<a href="/tour" class="js-gps-track" data-gps-track="help_popup.click({ item_type:1 })">
Tour
<span class="item-summary">
Start here for a quick overview of the site
</span>
</a>
</li>
<li>
<a href="/help" class="js-gps-track" data-gps-track="help_popup.click({ item_type:4 })">
Help Center
<span class="item-summary">
Detailed answers to any questions you might have
</span>
</a>
</li>
<li>
<a href="//meta.stackoverflow.com" class="js-gps-track" data-gps-track="help_popup.click({ item_type:2 })">
Meta
<span class="item-summary">
Discuss the workings and policies of this site
</span>
</a>
</li>
</ul>
</div>
</div>
<a href="//careers.stackoverflow.com?utm_source=stackoverflow.com&amp;utm_medium=site-ui&amp;utm_campaign=anon-topbar">stack overflow careers</a>
</span>
</div>
<div class="search-container">
<form id="search" action="/search" method="get" autocomplete="off">
<input name="q" type="text" placeholder="search" value="" tabindex="1" autocomplete="off" maxlength="240" />
</form>
</div>
</div>
</div>
</div>
<script>
StackExchange.ready(function() { StackExchange.topbar.init(); });
</script>
<div class="container">
<div id="header">
<br class="cbt">
<div id="hlogo">
<a href="/" >
Stack Overflow
</a>
</div>
<div id="hmenus">
<div class="nav mainnavs">
<ul>
<li class="youarehere"><a id="nav-questions" href="/questions">Questions</a></li>
<li><a id="nav-tags" href="/tags">Tags</a></li>
<li><a id="nav-users" href="/users">Users</a></li>
<li><a id="nav-badges" href="/help/badges">Badges</a></li>
<li><a id="nav-unanswered" href="/unanswered">Unanswered</a></li>
</ul>
</div>
<div class="nav askquestion">
<ul>
<li>
<a id="nav-askquestion" href="/questions/ask">Ask Question</a>
</li>
</ul>
</div>
</div>
</div>
<div id="content" class="snippet-hidden">
<div itemscope itemtype="http://schema.org/Question">
<link itemprop="image" href="//cdn.sstatic.net/stackoverflow/img/apple-touch-icon.png?v=c78bd457575a">
<!--googleoff: all-->
<div id="herobox-mini">
<div id="hero-content">
<span id="controls">
<a href="/users/signup?ssrc=hero&amp;returnurl=http%3a%2f%2fstackoverflow.com%2fquestions%2f1653308%2faccess-control-allow-origin-multiple-origin-domains" id="tell-me-more" class="button">Sign up</a>
<span id="close"><a title="click to dismiss">&times;</a></span>
</span>
<div id="blurb">
Stack Overflow is a community of 4.7 million programmers, just like you, helping each other. Join them, it only takes a minute:
</div>
</div>
<script>
StackExchange.ready(function() {
var clickSource = $("body").attr("class") + '-mini';
var location = 0;
if ($("body").hasClass("questions-page")) {
clickSource = 'questionpagemini';
location = 2;
} else if ($("body").hasClass("question-page")) {
clickSource = 'questionpagemini';
location = 2;
} else if ($("body").hasClass("home-page")) {
clickSource = 'homepagemini';
location = 4;
}
$('#tell-me-more').click(function () {
StackExchange.using("gps", function () {
StackExchange.gps.track("hero.action", { hero_action_type: 'cta', location: location }, true);
});
});
$('#herobox-mini #close').click(function () {
StackExchange.using("gps", function () {
StackExchange.gps.track("hero.action", { hero_action_type: "close", location: location }, true);
});
$.cookie("hero", "none", { path: "/", expires: 365 });
var $hero = $("#herobox-mini");
$hero.slideUp('fast', function () { $hero.remove(); });
return false;
});
});
</script>
</div>
<!--googleon: all-->
<div id="question-header">
<h1 itemprop="name"><a href="/questions/1653308/access-control-allow-origin-multiple-origin-domains" class="question-hyperlink">Access-Control-Allow-Origin Multiple Origin Domains?</a></h1>
</div>
<div id="mainbar">
<div class="question" data-questionid="1653308" id="question">
<script>
var ados = ados || {}; ados.run = ados.run || [];
ados.run.push(function () { ados_add_placement(22,8277,"adzerk669062915",4).setZone(43); });
</script>
<div class="everyonelovesstackoverflow" id="adzerk669062915">
</div> <table>
<tr>
<td class="votecell">
<div class="vote">
<input type="hidden" name="_id_" value="1653308">
<a class="vote-up-off" title="This question shows research effort; it is useful and clear">up vote</a>
<span itemprop="upvoteCount" class="vote-count-post ">444</span>
<a class="vote-down-off" title="This question does not show any research effort; it is unclear or not useful">down vote</a>
<a class="star-off" href="#" title="This is a favorite question (click again to undo)">favorite</a>
<div class="favoritecount"><b>147</b></div>
</div>
</td>
<td class="postcell">
<div>
<div class="post-text" itemprop="text">
<p>Is there a way to allow multiple cross-domains using the Access-Control-Allow-Origin header?</p>
<p>I'm aware of the *, but it is too open. I really want to allow just a couple domains.</p>
<p>As an example, something like this:</p>
<pre><code>Access-Control-Allow-Origin: http://domain1.com, http://domain2.com
</code></pre>
<p>I have tried the above code but it doesn't seem to work in Firefox.</p>
<p>Is it possible to specify multiple domains or am I stuck with just one?</p>
</div>
<div class="post-taglist">
<a href="/questions/tagged/http" class="post-tag" title="show questions tagged &#39;http&#39;" rel="tag">http</a> <a href="/questions/tagged/.htaccess" class="post-tag" title="show questions tagged &#39;.htaccess&#39;" rel="tag">.htaccess</a> <a href="/questions/tagged/xmlhttprequest" class="post-tag" title="show questions tagged &#39;xmlhttprequest&#39;" rel="tag">xmlhttprequest</a> <a href="/questions/tagged/cross-domain" class="post-tag" title="show questions tagged &#39;cross-domain&#39;" rel="tag">cross-domain</a>
</div>
<table class="fw">
<tr>
<td class="vt">
<div class="post-menu"><a href="/q/1653308" title="short permalink to this question" class="short-link" id="link-post-1653308">share</a><span class="lsep">|</span><a href="/posts/1653308/edit" class="suggest-edit-post" title="">improve this question</a></div>
</td>
<td align="right" class="post-signature">
<div class="user-info ">
<div class="user-action-time">
<a href="/posts/1653308/revisions" title="show all edits to this post">edited <span title="2011-12-14 18:51:55Z" class="relativetime">Dec 14 '11 at 18:51</span></a>
</div>
<div class="user-gravatar32">
<a href="/users/527702/hippietrail"><div class="gravatar-wrapper-32"><img src="https://i.stack.imgur.com/LrH0d.jpg?s=32&amp;g=1" alt="" width="32" height="32"></div></a>
</div>
<div class="user-details">
<a href="/users/527702/hippietrail">hippietrail</a><br>
<span class="reputation-score" title="reputation score " dir="ltr">5,416</span><span title="3 gold badges"><span class="badge1"></span><span class="badgecount">3</span></span><span title="47 silver badges"><span class="badge2"></span><span class="badgecount">47</span></span><span title="79 bronze badges"><span class="badge3"></span><span class="badgecount">79</span></span>
</div>
</div> </td>
<td class="post-signature owner">
<div class="user-info user-hover">
<div class="user-action-time">
asked <span title="2009-10-31 03:27:44Z" class="relativetime">Oct 31 '09 at 3:27</span>
</div>
<div class="user-gravatar32">
<a href="/users/133776/thomas-j-bradley"><div class="gravatar-wrapper-32"><img src="https://www.gravatar.com/avatar/85205721252b7699414f86e5851acf57?s=32&amp;d=identicon&amp;r=PG" alt="" width="32" height="32"></div></a>
</div>
<div class="user-details">
<a href="/users/133776/thomas-j-bradley">Thomas J Bradley</a><br>
<span class="reputation-score" title="reputation score " dir="ltr">2,418</span><span title="3 gold badges"><span class="badge1"></span><span class="badgecount">3</span></span><span title="9 silver badges"><span class="badge2"></span><span class="badgecount">9</span></span><span title="8 bronze badges"><span class="badge3"></span><span class="badgecount">8</span></span>
</div>
</div>
</td>
</tr>
</table>
</div>
</td>
</tr>
<tr>
<td class="votecell"></td>
<td>
<div id="comments-1653308" class="comments ">
<table>
<tbody data-remaining-comments-count="0"
data-canpost="false"
data-cansee="true"
data-comments-unavailable="false"
data-addlink-disabled="true">
<tr id="comment-28250590" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="cool">3</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy"><a href="http://www.w3.org/TR/cors/#access-control-allow-origin-response-header" rel="nofollow">Rather than allowing a space-separated list of origins, (origin-list-or-null) is either a single origin or the string &quot;null&quot;.</a> (thanks @maxpolk)</span>
&ndash;&nbsp;<a href="/users/822138/sam"
title="5396 reputation"
class="comment-user">sam</a>
<span class="comment-date" dir="ltr"><span title="2013-10-01 01:30:42Z" class="relativetime-clean">Oct 1 '13 at 1:30</span></span>
<span class="edited-yes" title="this comment was edited 1 time"></span>
</div>
</td>
</tr>
<tr id="comment-34530100" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="cool">1</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">Using the most recent Firefox, neither comma seperated, nor space seperated domains did work. Matching against a list of domains and putting a single host in the headers is still better security and does work properly.</span>
&ndash;&nbsp;<a href="/users/1948292/danfromgermany"
title="11541 reputation"
class="comment-user">DanFromGermany</a>
<span class="comment-date" dir="ltr"><span title="2014-03-26 16:58:42Z" class="relativetime-clean">Mar 26 '14 at 16:58</span></span>
</div>
</td>
</tr>
<tr id="comment-45418103" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="cool">1</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">If you&#39;re struggling with this for HTTPS, I found a <a href="http://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains/28552592#28552592">solution</a>.</span>
&ndash;&nbsp;<a href="/users/1399491/alex-w"
title="17096 reputation"
class="comment-user">Alex W</a>
<span class="comment-date" dir="ltr"><span title="2015-02-17 00:14:31Z" class="relativetime-clean">Feb 17 at 0:14</span></span>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<div id="comments-link-1653308" data-rep=50 data-anon=true>
<a class="js-add-link comments-link disabled-link "
title="Use comments to ask for more information or suggest improvements. Avoid answering questions in comments."
>add a comment</a><span class="js-link-separator dno">&nbsp;|&nbsp;</span>
<a class="js-show-link comments-link dno" title="expand to show all comments on this post" href=# onclick=""></a>
</div>
</td>
</tr> </table>
</div>
<div id="answers">
<a name="tab-top"></a>
<div id="answers-header">
<div class="subheader answers-subheader">
<h2>
21 Answers
<span style="display:none;" itemprop="answerCount">21</span>
</h2>
<div>
<div id="tabs">
<a href="/questions/1653308/access-control-allow-origin-multiple-origin-domains?answertab=active#tab-top" data-nav-xhref="" title="Answers with the latest activity first" data-value="active">active</a>
<a href="/questions/1653308/access-control-allow-origin-multiple-origin-domains?answertab=oldest#tab-top" data-nav-xhref="" title="Answers in the order they were provided" data-value="oldest">oldest</a>
<a class="youarehere" href="/questions/1653308/access-control-allow-origin-multiple-origin-domains?answertab=votes#tab-top" data-nav-xhref="" title="Answers with the highest score first" data-value="votes">votes</a>
</div>
</div>
</div>
</div>
<a name="1850482"></a>
<div id="answer-1850482" class="answer accepted-answer" data-answerid="1850482" itemscope itemtype="http://schema.org/Answer" itemprop="acceptedAnswer">
<table>
<tr>
<td class="votecell">
<div class="vote">
<input type="hidden" name="_id_" value="1850482">
<a class="vote-up-off" title="This answer is useful">up vote</a>
<span itemprop="upvoteCount" class="vote-count-post ">424</span>
<a class="vote-down-off" title="This answer is not useful">down vote</a>
<span class="vote-accepted-on load-accepted-answer-date" title="loading when this answer was accepted...">accepted</span>
</div>
</td>
<td class="answercell">
<div class="post-text" itemprop="text">
<p>Sounds like the recommended way to do it is to have your server read the Origin header from the client, compare that to the list of domains you'd like to allow, and if it matches, echo the value of the Origin header back to the client as the Access-Control-Allow-Origin header in the response.</p>
</div>
<table class="fw">
<tr>
<td class="vt">
<div class="post-menu"><a href="/a/1850482" title="short permalink to this answer" class="short-link" id="link-post-1850482">share</a><span class="lsep">|</span><a href="/posts/1850482/edit" class="suggest-edit-post" title="">improve this answer</a></div> </td>
<td align="right" class="post-signature">
<div class="user-info ">
<div class="user-action-time">
answered <span title="2009-12-05 00:10:06Z" class="relativetime">Dec 5 '09 at 0:10</span>
</div>
<div class="user-gravatar32">
<a href="/users/225190/yesthatguy"><div class="gravatar-wrapper-32"><img src="https://www.gravatar.com/avatar/c4085b15987bb7258abc73e6bc8ba730?s=32&amp;d=identicon&amp;r=PG" alt="" width="32" height="32"></div></a>
</div>
<div class="user-details">
<a href="/users/225190/yesthatguy">yesthatguy</a><br>
<span class="reputation-score" title="reputation score " dir="ltr">4,272</span><span title="1 gold badge"><span class="badge1"></span><span class="badgecount">1</span></span><span title="8 silver badges"><span class="badge2"></span><span class="badgecount">8</span></span><span title="3 bronze badges"><span class="badge3"></span><span class="badgecount">3</span></span>
</div>
</div>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td class="votecell"></td>
<td>
<div id="comments-1850482" class="comments ">
<table>
<tbody data-remaining-comments-count="9"
data-canpost="false"
data-cansee="true"
data-comments-unavailable="false"
data-addlink-disabled="true">
<tr id="comment-4473996" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="hot">25</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">This matches what the W3C suggests -- <a href="http://www.w3.org/TR/cors/#access-control-allow-origin-response-hea" rel="nofollow">w3.org/TR/cors/#access-control-allow-origin-response-hea</a></span>
&ndash;&nbsp;<a href="/users/296639/simon-b"
title="952 reputation"
class="comment-user">Simon B.</a>
<span class="comment-date" dir="ltr"><span title="2010-11-10 17:22:04Z" class="relativetime-clean">Nov 10 '10 at 17:22</span></span>
</div>
</td>
</tr>
<tr id="comment-6304250" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="supernova">89</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">My problem with this answer is it doesn&#39;t really help me, because we use a CDN, and obviously we can&#39;t control how the CDN sets headers programatically.</span>
&ndash;&nbsp;<a href="/users/122422/b-t"
title="9908 reputation"
class="comment-user">B T</a>
<span class="comment-date" dir="ltr"><span title="2011-04-05 00:00:25Z" class="relativetime-clean">Apr 5 '11 at 0:00</span></span>
</div>
</td>
</tr>
<tr id="comment-13417849" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="cool">3</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">As @BT notes this isn&#39;t a great solution because it doesn&#39;t work over a CDN. With that said, if you still want to do it there are two typical CDN configurations. In the first, you use your server as an origin server. In that case specifying a simple * (while not ideal) would work. The CDN would cache this header along with whatever else you send and serve it to the client. In the second, you use a remote (CDN managed) server as the origin. In this case you should configure the CDN to send back a custom HTTP header for this content. (Again, you&#39;d specify *)</span>
&ndash;&nbsp;<a href="/users/1265527/genexp"
title="177 reputation"
class="comment-user">genexp</a>
<span class="comment-date" dir="ltr"><span title="2012-05-01 18:39:11Z" class="relativetime-clean">May 1 '12 at 18:39</span></span>
</div>
</td>
</tr>
<tr id="comment-16685896" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="warm">6</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">Actual example (Nginx) in my answer below - <a href="http://stackoverflow.com/a/12414239/6084">stackoverflow.com/a/12414239/6084</a></span>
&ndash;&nbsp;<a href="/users/6084/mjallday"
title="4803 reputation"
class="comment-user">mjallday</a>
<span class="comment-date" dir="ltr"><span title="2012-09-13 20:26:07Z" class="relativetime-clean">Sep 13 '12 at 20:26</span></span>
</div>
</td>
</tr>
<tr id="comment-19833449" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="hot">23</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">If caches or CDNs are a concern, use the <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.44" rel="nofollow">Vary header</a> to tell the cache/CDN to keep separate responses for different Origin request header values. You would include a header like &quot;Vary: Origin&quot; in your response. The cache/CDN then knows that it should send one response to a request with header &quot;Origin: <a href="http://foo.example.com&quot" rel="nofollow">foo.example.com&quot</a>;, and a different response to a request with header &quot;Origin: <a href="http://bar.example.com&quot" rel="nofollow">bar.example.com&quot</a>;.</span>
&ndash;&nbsp;<a href="/users/302898/sean"
title="960 reputation"
class="comment-user">Sean</a>
<span class="comment-date" dir="ltr"><span title="2013-01-11 17:34:19Z" class="relativetime-clean">Jan 11 '13 at 17:34</span></span>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<div id="comments-link-1850482" data-rep=50 data-anon=true>
<a class="js-add-link comments-link dno"
title="Use comments to ask for more information or suggest improvements. Avoid comments like “+1” or “thanks”."
></a><span class="js-link-separator dno">&nbsp;|&nbsp;</span>
<a class="js-show-link comments-link " title="expand to show all comments on this post" href=# onclick="">show <b>9</b> more comments</a>
</div>
</td>
</tr> </table>
</div>
<script>
var ados = ados || {}; ados.run = ados.run || [];
ados.run.push(function () { ados_add_placement(22,8277,"adzerk1547140043",4).setZone(44); });
</script>
<div class="everyonelovesstackoverflow" id="adzerk1547140043">
</div>
<a name="6044862"></a>
<div id="answer-6044862" class="answer" data-answerid="6044862" itemscope itemtype="http://schema.org/Answer">
<table>
<tr>
<td class="votecell">
<div class="vote">
<input type="hidden" name="_id_" value="6044862">
<a class="vote-up-off" title="This answer is useful">up vote</a>
<span itemprop="upvoteCount" class="vote-count-post ">76</span>
<a class="vote-down-off" title="This answer is not useful">down vote</a>
</div>
</td>
<td class="answercell">
<div class="post-text" itemprop="text">
<p>I had the same problem with woff-fonts, multiple subdomains had to have access. To allow subdomains I added something like this to my httpd.conf:</p>
<pre><code>SetEnvIf Origin "^(.*\.example\.com)$" ORIGIN_SUB_DOMAIN=$1
&lt;FilesMatch "\.woff$"&gt;
Header set Access-Control-Allow-Origin "%{ORIGIN_SUB_DOMAIN}e" env=ORIGIN_SUB_DOMAIN
&lt;/FilesMatch&gt;
</code></pre>
<p>For multiple domains you could just change the regex in <code>SetEnvIf</code>.</p>
</div>
<table class="fw">
<tr>
<td class="vt">
<div class="post-menu"><a href="/a/6044862" title="short permalink to this answer" class="short-link" id="link-post-6044862">share</a><span class="lsep">|</span><a href="/posts/6044862/edit" class="suggest-edit-post" title="">improve this answer</a></div> </td>
<td align="right" class="post-signature">
<div class="user-info user-hover">
<div class="user-action-time">
<a href="/posts/6044862/revisions" title="show all edits to this post">edited <span title="2013-07-09 07:59:26Z" class="relativetime">Jul 9 '13 at 7:59</span></a>
</div>
<div class="user-gravatar32">
<a href="/users/128421/the-tin-man"><div class="gravatar-wrapper-32"><img src="https://www.gravatar.com/avatar/71770d043c0f7e3c7bc5f74190015c26?s=32&amp;d=identicon&amp;r=PG" alt="" width="32" height="32"></div></a>
</div>
<div class="user-details">
<a href="/users/128421/the-tin-man">the Tin Man</a><br>
<span class="reputation-score" title="reputation score 93910" dir="ltr">93.9k</span><span title="18 gold badges"><span class="badge1"></span><span class="badgecount">18</span></span><span title="117 silver badges"><span class="badge2"></span><span class="badgecount">117</span></span><span title="180 bronze badges"><span class="badge3"></span><span class="badgecount">180</span></span>
</div>
</div> </td>
<td align="right" class="post-signature">
<div class="user-info ">
<div class="user-action-time">
answered <span title="2011-05-18 12:46:07Z" class="relativetime">May 18 '11 at 12:46</span>
</div>
<div class="user-gravatar32">
<a href="/users/542433/staugaard"><div class="gravatar-wrapper-32"><img src="https://www.gravatar.com/avatar/fa7c1574c750581928509b6429b2fe56?s=32&amp;d=identicon&amp;r=PG" alt="" width="32" height="32"></div></a>
</div>
<div class="user-details">
<a href="/users/542433/staugaard">Staugaard</a><br>
<span class="reputation-score" title="reputation score " dir="ltr">869</span><span title="6 silver badges"><span class="badge2"></span><span class="badgecount">6</span></span><span title="5 bronze badges"><span class="badge3"></span><span class="badgecount">5</span></span>
</div>
</div>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td class="votecell"></td>
<td>
<div id="comments-6044862" class="comments ">
<table>
<tbody data-remaining-comments-count="0"
data-canpost="false"
data-cansee="true"
data-comments-unavailable="false"
data-addlink-disabled="true">
<tr id="comment-13142716" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="cool">2</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">Did the trick. Just make sure you adapt the regular expression correctly. I needed to add a question mark to allow the domain itself, e.g. <code>(.*\.?example\.org)</code> for <code>example.com</code> and <code>sub.example.com</code>.</span>
&ndash;&nbsp;<a href="/users/128703/trkoch"
title="690 reputation"
class="comment-user">trkoch</a>
<span class="comment-date" dir="ltr"><span title="2012-04-19 13:55:22Z" class="relativetime-clean">Apr 19 '12 at 13:55</span></span>
</div>
</td>
</tr>
<tr id="comment-25569426" class="comment ">
<td>
<table>
<tbody>
<tr>
<td class=" comment-score">
&nbsp;&nbsp;
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">Any thoughts on how to adapt this for IIS 7?</span>
&ndash;&nbsp;<a href="/users/271985/dadwithkids"
title="123 reputation"
class="comment-user">dadwithkids</a>
<span class="comment-date" dir="ltr"><span title="2013-07-10 14:53:29Z" class="relativetime-clean">Jul 10 '13 at 14:53</span></span>
</div>
</td>
</tr>
<tr id="comment-26355640" class="comment ">
<td>
<table>
<tbody>
<tr>
<td class=" comment-score">
&nbsp;&nbsp;
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">Isn&#39;t that defeating the purpose though ? What would prevent a malicious user from forging the Origin header value ?</span>
&ndash;&nbsp;<a href="/users/302789/gr%c3%a9gory-joseph"
title="504 reputation"
class="comment-user">Gr&#233;gory Joseph</a>
<span class="comment-date" dir="ltr"><span title="2013-08-02 15:22:04Z" class="relativetime-clean">Aug 2 '13 at 15:22</span></span>
</div>
</td>
</tr>
<tr id="comment-26774066" class="comment ">
<td>
<table>
<tbody>
<tr>
<td class=" comment-score">
&nbsp;&nbsp;
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">@Gr&#233;goryJoseph Access-Control-Allow-Origin isn&#39;t about hiding resources from someone that can request it. It&#39;s about preventing a malicious site from having end users calling your site. In the case of font files, this can only effectively limit hot linking of fonts, why they (mozilla/firefox) didn&#39;t do the same for other resources (js, css, etc) is beyond me.</span>
&ndash;&nbsp;<a href="/users/43906/tracker1"
title="9593 reputation"
class="comment-user">Tracker1</a>
<span class="comment-date" dir="ltr"><span title="2013-08-15 16:28:40Z" class="relativetime-clean">Aug 15 '13 at 16:28</span></span>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<div id="comments-link-6044862" data-rep=50 data-anon=true>
<a class="js-add-link comments-link disabled-link "
title="Use comments to ask for more information or suggest improvements. Avoid comments like “+1” or “thanks”."
>add a comment</a><span class="js-link-separator dno">&nbsp;|&nbsp;</span>
<a class="js-show-link comments-link dno" title="expand to show all comments on this post" href=# onclick=""></a>
</div>
</td>
</tr> </table>
</div>
<a name="7454204"></a>
<div id="answer-7454204" class="answer" data-answerid="7454204" itemscope itemtype="http://schema.org/Answer">
<table>
<tr>
<td class="votecell">
<div class="vote">
<input type="hidden" name="_id_" value="7454204">
<a class="vote-up-off" title="This answer is useful">up vote</a>
<span itemprop="upvoteCount" class="vote-count-post ">69</span>
<a class="vote-down-off" title="This answer is not useful">down vote</a>
</div>
</td>
<td class="answercell">
<div class="post-text" itemprop="text">
<p>Another solution I'm using in PHP:</p>
<pre><code>$http_origin = $_SERVER['HTTP_ORIGIN'];
if ($http_origin == "http://www.domain1.com" || $http_origin == "http://www.domain2.com" || $http_origin == "http://www.domain3.info")
{
header("Access-Control-Allow-Origin: $http_origin");
}
</code></pre>
</div>
<table class="fw">
<tr>
<td class="vt">
<div class="post-menu"><a href="/a/7454204" title="short permalink to this answer" class="short-link" id="link-post-7454204">share</a><span class="lsep">|</span><a href="/posts/7454204/edit" class="suggest-edit-post" title="">improve this answer</a></div> </td>
<td align="right" class="post-signature">
<div class="user-info ">
<div class="user-action-time">
<a href="/posts/7454204/revisions" title="show all edits to this post">edited <span title="2013-09-26 11:38:47Z" class="relativetime">Sep 26 '13 at 11:38</span></a>
</div>
<div class="user-gravatar32">
</div>
<div class="user-details">
<br>
</div>
</div> </td>
<td align="right" class="post-signature">
<div class="user-info ">
<div class="user-action-time">
answered <span title="2011-09-17 10:49:21Z" class="relativetime">Sep 17 '11 at 10:49</span>
</div>
<div class="user-gravatar32">
<a href="/users/613598/nikolay-ivanov"><div class="gravatar-wrapper-32"><img src="https://www.gravatar.com/avatar/c888f7e2942382050674abedc46343f5?s=32&amp;d=identicon&amp;r=PG" alt="" width="32" height="32"></div></a>
</div>
<div class="user-details">
<a href="/users/613598/nikolay-ivanov">Nikolay Ivanov</a><br>
<span class="reputation-score" title="reputation score " dir="ltr">1,419</span><span title="12 silver badges"><span class="badge2"></span><span class="badgecount">12</span></span><span title="16 bronze badges"><span class="badge3"></span><span class="badgecount">16</span></span>
</div>
</div>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td class="votecell"></td>
<td>
<div id="comments-7454204" class="comments ">
<table>
<tbody data-remaining-comments-count="1"
data-canpost="false"
data-cansee="true"
data-comments-unavailable="false"
data-addlink-disabled="true">
<tr id="comment-14338713" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="warm">10</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">Why not use the approach suggested in <a href="http://stackoverflow.com/a/1850482/11635">stackoverflow.com/a/1850482/11635</a> [and dont sent a wildcard, just the requested origin] ? This is just more permissive without achieving anything more?</span>
&ndash;&nbsp;<a href="/users/11635/ruben-bartelink"
title="28191 reputation"
class="comment-user">Ruben Bartelink</a>
<span class="comment-date" dir="ltr"><span title="2012-06-11 10:54:19Z" class="relativetime-clean">Jun 11 '12 at 10:54</span></span>
</div>
</td>
</tr>
<tr id="comment-19386908" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="warm">8</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">having <code>header(&#39;Access-Control-Allow-Origin: *&#39;)</code> sometimes says cannot use wild card if credentials flag is true - happens when <code>header(&#39;Access-Control-Allow-Credentials: true&#39;)</code>probably. So, better to Allow-Origin the <code>$http_origin</code> itself if the conditions are met</span>
&ndash;&nbsp;<a href="/users/636762/syedrakib"
title="1780 reputation"
class="comment-user">syedrakib</a>
<span class="comment-date" dir="ltr"><span title="2012-12-25 21:40:11Z" class="relativetime-clean">Dec 25 '12 at 21:40</span></span>
</div>
</td>
</tr>
<tr id="comment-33625514" class="comment ">
<td>
<table>
<tbody>
<tr>
<td class=" comment-score">
&nbsp;&nbsp;
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">Nice trick. helped me. Thank you.</span>
&ndash;&nbsp;<a href="/users/1935534/jalaljaberi"
title="432 reputation"
class="comment-user">JalalJaberi</a>
<span class="comment-date" dir="ltr"><span title="2014-03-03 21:09:29Z" class="relativetime-clean">Mar 3 '14 at 21:09</span></span>
</div>
</td>
</tr>
<tr id="comment-46326326" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="cool">1</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">replace the last line with <code>header(&quot;Access-Control-Allow-Origin: &quot; . $http_origin);</code> to make it work</span>
&ndash;&nbsp;<a href="/users/2112538/francoisromain"
title="1600 reputation"
class="comment-user">francoisromain</a>
<span class="comment-date" dir="ltr"><span title="2015-03-13 22:47:12Z" class="relativetime-clean">Mar 13 at 22:47</span></span>
</div>
</td>
</tr>
<tr id="comment-46338273" class="comment ">
<td>
<table>
<tbody>
<tr>
<td class=" comment-score">
&nbsp;&nbsp;
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">@desgnl, both ways it works. PHP variables inside double quotes are evaluated: <a href="http://php.net/manual/de/language.types.string.php#language.types.string.parsing" rel="nofollow">php.net/manual/de/&hellip;</a></span>
&ndash;&nbsp;<a href="/users/613598/nikolay-ivanov"
title="1419 reputation"
class="comment-user">Nikolay Ivanov</a>
<span class="comment-date" dir="ltr"><span title="2015-03-14 14:35:55Z" class="relativetime-clean">Mar 14 at 14:35</span></span>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<div id="comments-link-7454204" data-rep=50 data-anon=true>
<a class="js-add-link comments-link dno"
title="Use comments to ask for more information or suggest improvements. Avoid comments like “+1” or “thanks”."
></a><span class="js-link-separator dno">&nbsp;|&nbsp;</span>
<a class="js-show-link comments-link " title="expand to show all comments on this post" href=# onclick="">show <b>1</b> more comment</a>
</div>
</td>
</tr> </table>
</div>
<a name="11077890"></a>
<div id="answer-11077890" class="answer" data-answerid="11077890" itemscope itemtype="http://schema.org/Answer">
<table>
<tr>
<td class="votecell">
<div class="vote">
<input type="hidden" name="_id_" value="11077890">
<a class="vote-up-off" title="This answer is useful">up vote</a>
<span itemprop="upvoteCount" class="vote-count-post ">57</span>
<a class="vote-down-off" title="This answer is not useful">down vote</a>
</div>
</td>
<td class="answercell">
<div class="post-text" itemprop="text">
<p>This worked for me:</p>
<pre><code>SetEnvIf Origin "^http(s)?://(.+\.)?(domain\.org|domain2\.com)$" origin_is=$0
Header always set Access-Control-Allow-Origin %{origin_is}e env=origin_is
</code></pre>
<p>put in .htaccess</p>
<p>it will work for sure.</p>
<p>Cheers!!</p>
</div>
<table class="fw">
<tr>
<td class="vt">
<div class="post-menu"><a href="/a/11077890" title="short permalink to this answer" class="short-link" id="link-post-11077890">share</a><span class="lsep">|</span><a href="/posts/11077890/edit" class="suggest-edit-post" title="">improve this answer</a></div> </td>
<td align="right" class="post-signature">
<div class="user-info ">
<div class="user-action-time">
answered <span title="2012-06-18 06:31:30Z" class="relativetime">Jun 18 '12 at 6:31</span>
</div>
<div class="user-gravatar32">
<a href="/users/1377144/jay-dave"><div class="gravatar-wrapper-32"><img src="https://i.stack.imgur.com/UMvMD.jpg?s=32&amp;g=1" alt="" width="32" height="32"></div></a>
</div>
<div class="user-details">
<a href="/users/1377144/jay-dave">Jay Dave</a><br>
<span class="reputation-score" title="reputation score " dir="ltr">897</span><span title="8 silver badges"><span class="badge2"></span><span class="badgecount">8</span></span><span title="7 bronze badges"><span class="badge3"></span><span class="badgecount">7</span></span>
</div>
</div>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td class="votecell"></td>
<td>
<div id="comments-11077890" class="comments ">
<table>
<tbody data-remaining-comments-count="1"
data-canpost="false"
data-cansee="true"
data-comments-unavailable="false"
data-addlink-disabled="true">
<tr id="comment-19016529" class="comment ">
<td>
<table>
<tbody>
<tr>
<td class=" comment-score">
&nbsp;&nbsp;
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">This is a great solution, thanks.</span>
&ndash;&nbsp;<a href="/users/545726/aiham"
title="1596 reputation"
class="comment-user">aiham</a>
<span class="comment-date" dir="ltr"><span title="2012-12-11 12:28:22Z" class="relativetime-clean">Dec 11 '12 at 12:28</span></span>
</div>
</td>
</tr>
<tr id="comment-28779045" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="cool">3</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">Great answer, should be the accepted answer since it provides the solution as well!</span>
&ndash;&nbsp;<a href="/users/798634/matt-k"
title="3860 reputation"
class="comment-user">Matt K</a>
<span class="comment-date" dir="ltr"><span title="2013-10-16 21:09:57Z" class="relativetime-clean">Oct 16 '13 at 21:09</span></span>
<span class="edited-yes" title="this comment was edited 1 time"></span>
</div>
</td>
</tr>
<tr id="comment-29379685" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="warm">11</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">best solution for me, but i added port support (e.g. <a href="http://localhost:3000" rel="nofollow">localhost:3000</a> for development): SetEnvIf Origin &quot;^http(s)?://(.+\.)?(localhost|stackoverflow.com|example1.com)(:[0-9]+)?$&quot; origin_is=$0</span>
&ndash;&nbsp;<a href="/users/2334230/tecjam"
title="218 reputation"
class="comment-user">tecjam</a>
<span class="comment-date" dir="ltr"><span title="2013-11-04 13:10:33Z" class="relativetime-clean">Nov 4 '13 at 13:10</span></span>
</div>
</td>
</tr>
<tr id="comment-38210092" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="cool">1</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">It&#39;s working great!</span>
&ndash;&nbsp;<a href="/users/1366109/orz"
title="208 reputation"
class="comment-user">Orz</a>
<span class="comment-date" dir="ltr"><span title="2014-07-09 09:36:00Z" class="relativetime-clean">Jul 9 '14 at 9:36</span></span>
</div>
</td>
</tr>
<tr id="comment-45941442" class="comment ">
<td>
<table>
<tbody>
<tr>
<td class=" comment-score">
&nbsp;&nbsp;
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">Of the several answers all around stackoverflow, this was the one that worked.</span>
&ndash;&nbsp;<a href="/users/1130803/meetai-com"
title="1383 reputation"
class="comment-user">Meetai.com</a>
<span class="comment-date" dir="ltr"><span title="2015-03-03 15:45:11Z" class="relativetime-clean">Mar 3 at 15:45</span></span>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<div id="comments-link-11077890" data-rep=50 data-anon=true>
<a class="js-add-link comments-link dno"
title="Use comments to ask for more information or suggest improvements. Avoid comments like “+1” or “thanks”."
></a><span class="js-link-separator dno">&nbsp;|&nbsp;</span>
<a class="js-show-link comments-link " title="expand to show all comments on this post" href=# onclick="">show <b>1</b> more comment</a>
</div>
</td>
</tr> </table>
</div>
<a name="4110601"></a>
<div id="answer-4110601" class="answer" data-answerid="4110601" itemscope itemtype="http://schema.org/Answer">
<table>
<tr>
<td class="votecell">
<div class="vote">
<input type="hidden" name="_id_" value="4110601">
<a class="vote-up-off" title="This answer is useful">up vote</a>
<span itemprop="upvoteCount" class="vote-count-post ">40</span>
<a class="vote-down-off" title="This answer is not useful">down vote</a>
</div>
</td>
<td class="answercell">
<div class="post-text" itemprop="text">
<p>The answer seems to be to use the header more than once. That is, rather than sending</p>
<pre><code>Access-Control-Allow-Origin: http://domain1.com, http://domain2.com, http://domain3.com
</code></pre>
<p>send</p>
<pre><code>Access-Control-Allow-Origin: http://domain1.com
Access-Control-Allow-Origin: http://domain2.com
Access-Control-Allow-Origin: http://domain3.com
</code></pre>
<p>On Apache, you can do this in an <code>httpd.conf</code> <code>&lt;VirtualHost&gt;</code> section or <code>.htaccess</code> file using <code>mod_headers</code> and this syntax:</p>
<pre><code>Header add Access-Control-Allow-Origin "http://domain1.com"
Header add Access-Control-Allow-Origin "http://domain2.com"
Header add Access-Control-Allow-Origin "http://domain3.com"
</code></pre>
<p>The trick is to use <code>add</code> rather than <code>append</code> as the first argument.</p>
</div>
<table class="fw">
<tr>
<td class="vt">
<div class="post-menu"><a href="/a/4110601" title="short permalink to this answer" class="short-link" id="link-post-4110601">share</a><span class="lsep">|</span><a href="/posts/4110601/edit" class="suggest-edit-post" title="">improve this answer</a></div> </td>
<td align="right" class="post-signature">
<div class="user-info ">
<div class="user-action-time">
answered <span title="2010-11-05 22:22:20Z" class="relativetime">Nov 5 '10 at 22:22</span>
</div>
<div class="user-gravatar32">
<a href="/users/498857/ben-c-forsberg"><div class="gravatar-wrapper-32"><img src="https://www.gravatar.com/avatar/d3140a7fb9c8e1db421a5c0657923b67?s=32&amp;d=identicon&amp;r=PG" alt="" width="32" height="32"></div></a>
</div>
<div class="user-details">
<a href="/users/498857/ben-c-forsberg">Ben C. Forsberg</a><br>
<span class="reputation-score" title="reputation score " dir="ltr">825</span><span title="6 silver badges"><span class="badge2"></span><span class="badgecount">6</span></span><span title="2 bronze badges"><span class="badge3"></span><span class="badgecount">2</span></span>
</div>
</div>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td class="votecell"></td>
<td>
<div id="comments-4110601" class="comments ">
<table>
<tbody data-remaining-comments-count="6"
data-canpost="false"
data-cansee="true"
data-comments-unavailable="false"
data-addlink-disabled="true">
<tr id="comment-23267891" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="cool">2</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">there&#39;s a variation on this which seems to work: <a href="http://stackoverflow.com/questions/9466496/how-to-configure-apache-to-handle-multiple-domains-with-access-control-allow-ori" title="how to configure apache to handle multiple domains with access control allow ori">stackoverflow.com/questions/9466496/&hellip;</a></span>
&ndash;&nbsp;<a href="/users/262455/jack-james"
title="1325 reputation"
class="comment-user">Jack James</a>
<span class="comment-date" dir="ltr"><span title="2013-04-28 07:58:32Z" class="relativetime-clean">Apr 28 '13 at 7:58</span></span>
</div>
</td>
</tr>
<tr id="comment-24118646" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="supernova">62</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">Just spent two hours trying to fix an issue related to CORS and it turns out that it was because of multiple Access-Control-Allow-Origin headers. I removed the multiple Access-Control-Allow-Origin headers and it started working. So this is not the right answer despite the number of votes. Use this method instead to support multiple domains: <a href="http://stackoverflow.com/a/1850482/123545">stackoverflow.com/a/1850482/123545</a></span>
&ndash;&nbsp;<a href="/users/123545/erjab"
title="2185 reputation"
class="comment-user">ErJab</a>
<span class="comment-date" dir="ltr"><span title="2013-05-25 00:26:07Z" class="relativetime-clean">May 25 '13 at 0:26</span></span>
</div>
</td>
</tr>
<tr id="comment-38075521" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="warm">8</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">This is not a correct answer.</span>
&ndash;&nbsp;<a href="/users/1166285/d-b"
title="5717 reputation"
class="comment-user">d-_-b</a>
<span class="comment-date" dir="ltr"><span title="2014-07-04 18:35:10Z" class="relativetime-clean">Jul 4 '14 at 18:35</span></span>
</div>
</td>
</tr>
<tr id="comment-40223212" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="warm">5</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">The <a href="http://www.w3.org/TR/cors/" rel="nofollow">specs</a> clearly say that multiple values will cause the CORS algorithm to fails. So this isn&#39;t correct.</span>
&ndash;&nbsp;<a href="/users/1233630/lior"
title="996 reputation"
class="comment-user">Lior</a>
<span class="comment-date" dir="ltr"><span title="2014-09-08 15:56:36Z" class="relativetime-clean">Sep 8 '14 at 15:56</span></span>
</div>
</td>
</tr>
<tr id="comment-41201490" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="cool">4</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">Also confirming this is incorrect. Using this to serve CSS to four domains, I receive an error in Chrome&#39;s log <i>&quot;[...] header contains multiple values &#39;<a href="http://aaa.com" rel="nofollow">aaa.com</a>, <a href="http://bbb.com&#39" rel="nofollow">bbb.com&#39</a>;, but only one is allowed&quot;</i>. It does not matter if you define it as one header, or multiple, or using <code>add</code> vs. <code>set</code>. It just doesn&#39;t work.</span>
&ndash;&nbsp;<a href="/users/470480/radgh"
title="1432 reputation"
class="comment-user">RadGH</a>
<span class="comment-date" dir="ltr"><span title="2014-10-08 17:56:24Z" class="relativetime-clean">Oct 8 '14 at 17:56</span></span>
<span class="edited-yes" title="this comment was edited 2 times"></span>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<div id="comments-link-4110601" data-rep=50 data-anon=true>
<a class="js-add-link comments-link dno"
title="Use comments to ask for more information or suggest improvements. Avoid comments like “+1” or “thanks”."
></a><span class="js-link-separator dno">&nbsp;|&nbsp;</span>
<a class="js-show-link comments-link " title="expand to show all comments on this post" href=# onclick="">show <b>6</b> more comments</a>
</div>
</td>
</tr> </table>
</div>
<a name="12414239"></a>
<div id="answer-12414239" class="answer" data-answerid="12414239" itemscope itemtype="http://schema.org/Answer">
<table>
<tr>
<td class="votecell">
<div class="vote">
<input type="hidden" name="_id_" value="12414239">
<a class="vote-up-off" title="This answer is useful">up vote</a>
<span itemprop="upvoteCount" class="vote-count-post ">26</span>
<a class="vote-down-off" title="This answer is not useful">down vote</a>
</div>
</td>
<td class="answercell">
<div class="post-text" itemprop="text">
<p>Here's how to echo the Origin header back if it matches your domain with Nginx, this is useful if you want to serve a font multiple sub-domains:</p>
<pre><code>location /fonts {
# this will echo back the origin header
if ($http_origin ~ "example.org$") {
add_header "Access-Control-Allow-Origin" $http_origin;
}
}
</code></pre>
</div>
<table class="fw">
<tr>
<td class="vt">
<div class="post-menu"><a href="/a/12414239" title="short permalink to this answer" class="short-link" id="link-post-12414239">share</a><span class="lsep">|</span><a href="/posts/12414239/edit" class="suggest-edit-post" title="">improve this answer</a></div> </td>
<td align="right" class="post-signature">
<div class="user-info user-hover">
<div class="user-action-time">
answered <span title="2012-09-13 20:25:22Z" class="relativetime">Sep 13 '12 at 20:25</span>
</div>
<div class="user-gravatar32">
<a href="/users/6084/mjallday"><div class="gravatar-wrapper-32"><img src="https://www.gravatar.com/avatar/cfea58b30e0b6fa07091b6405d32df23?s=32&amp;d=identicon&amp;r=PG" alt="" width="32" height="32"></div></a>
</div>
<div class="user-details">
<a href="/users/6084/mjallday">mjallday</a><br>
<span class="reputation-score" title="reputation score " dir="ltr">4,803</span><span title="1 gold badge"><span class="badge1"></span><span class="badgecount">1</span></span><span title="30 silver badges"><span class="badge2"></span><span class="badgecount">30</span></span><span title="52 bronze badges"><span class="badge3"></span><span class="badgecount">52</span></span>
</div>
</div>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td class="votecell"></td>
<td>
<div id="comments-12414239" class="comments ">
<table>
<tbody data-remaining-comments-count="0"
data-canpost="false"
data-cansee="true"
data-comments-unavailable="false"
data-addlink-disabled="true">
<tr id="comment-44918484" class="comment ">
<td>
<table>
<tbody>
<tr>
<td class=" comment-score">
&nbsp;&nbsp;
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">Can&#39;t understand how is this different from: add_header Access-Control-Allow-Origin *; Care to explain?</span>
&ndash;&nbsp;<a href="/users/1128223/anoyz"
title="2619 reputation"
class="comment-user">Anoyz</a>
<span class="comment-date" dir="ltr"><span title="2015-02-02 16:24:26Z" class="relativetime-clean">Feb 2 at 16:24</span></span>
<span class="edited-yes" title="this comment was edited 2 times"></span>
</div>
</td>
</tr>
<tr id="comment-45056169" class="comment ">
<td>
<table>
<tbody>
<tr>
<td class=" comment-score">
&nbsp;&nbsp;
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">this is going to return a header that authorizes the browser to only send requests from the domain specified. if i guessed i&#39;d say the browser could authorize content from another domain loaded on that page to access the server otherwise.</span>
&ndash;&nbsp;<a href="/users/6084/mjallday"
title="4803 reputation"
class="comment-user">mjallday</a>
<span class="comment-date" dir="ltr"><span title="2015-02-06 00:06:21Z" class="relativetime-clean">Feb 6 at 0:06</span></span>
</div>
</td>
</tr>
<tr id="comment-49655725" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="cool">1</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">@Anoyz for one thing there may be enhanced security where &quot;Allow *&quot; is not permitted, but a specified and matching host name for the allow header works. An example here, if you want to send authorization information cross domain, you can not use &quot;Allow *&quot;</span>
&ndash;&nbsp;<a href="/users/1361680/tcc"
title="851 reputation"
class="comment-user">TCC</a>
<span class="comment-date" dir="ltr"><span title="2015-06-12 13:00:40Z" class="relativetime-clean">Jun 12 at 13:00</span></span>
</div>
</td>
</tr>
<tr id="comment-53940882" class="comment ">
<td>
<table>
<tbody>
<tr>
<td class=" comment-score">
&nbsp;&nbsp;
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">TCC, that is the exact reason -- I didn&#39;t want to limit the clients, but I did want to use authorization. The only way to do that according to the specs is to return the Origin. I&#39;m actually surprised that they even have * -- either return the origin or don&#39;t.</span>
&ndash;&nbsp;<a href="/users/1331672/gerard-oneill"
title="837 reputation"
class="comment-user">Gerard ONeill</a>
<span class="comment-date" dir="ltr"><span title="2015-10-11 01:16:12Z" class="relativetime-clean">Oct 11 at 1:16</span></span>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<div id="comments-link-12414239" data-rep=50 data-anon=true>
<a class="js-add-link comments-link disabled-link "
title="Use comments to ask for more information or suggest improvements. Avoid comments like “+1” or “thanks”."
>add a comment</a><span class="js-link-separator dno">&nbsp;|&nbsp;</span>
<a class="js-show-link comments-link dno" title="expand to show all comments on this post" href=# onclick=""></a>
</div>
</td>
</tr> </table>
</div>
<a name="2303353"></a>
<div id="answer-2303353" class="answer" data-answerid="2303353" itemscope itemtype="http://schema.org/Answer">
<table>
<tr>
<td class="votecell">
<div class="vote">
<input type="hidden" name="_id_" value="2303353">
<a class="vote-up-off" title="This answer is useful">up vote</a>
<span itemprop="upvoteCount" class="vote-count-post ">13</span>
<a class="vote-down-off" title="This answer is not useful">down vote</a>
</div>
</td>
<td class="answercell">
<div class="post-text" itemprop="text">
<p>There is one disadvantage you should be aware of: As soon as you out-source files to a CDN (or any other server which doesn't allow scripting) or if your files are cached on a proxy, altering response based on 'Origin' request header will not work.</p>
</div>
<table class="fw">
<tr>
<td class="vt">
<div class="post-menu"><a href="/a/2303353" title="short permalink to this answer" class="short-link" id="link-post-2303353">share</a><span class="lsep">|</span><a href="/posts/2303353/edit" class="suggest-edit-post" title="">improve this answer</a></div> </td>
<td align="right" class="post-signature">
<div class="user-info ">
<div class="user-action-time">
answered <span title="2010-02-20 19:18:51Z" class="relativetime">Feb 20 '10 at 19:18</span>
</div>
<div class="user-gravatar32">
<a href="/users/277784/mark"><div class="gravatar-wrapper-32"><img src="https://www.gravatar.com/avatar/69b368f1ce68bead1174517a3ed99c17?s=32&amp;d=identicon&amp;r=PG" alt="" width="32" height="32"></div></a>
</div>
<div class="user-details">
<a href="/users/277784/mark">Mark</a><br>
<span class="reputation-score" title="reputation score " dir="ltr">139</span><span title="1 silver badge"><span class="badge2"></span><span class="badgecount">1</span></span><span title="2 bronze badges"><span class="badge3"></span><span class="badgecount">2</span></span>
</div>
</div>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td class="votecell"></td>
<td>
<div id="comments-2303353" class="comments ">
<table>
<tbody data-remaining-comments-count="0"
data-canpost="false"
data-cansee="true"
data-comments-unavailable="false"
data-addlink-disabled="true">
<tr id="comment-6304191" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="cool">4</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">Could you elaborate on this, or point us somewhere we can look for more info? I&#39;m looking to do just that with Limelight, and I&#39;m hoping you&#39;re wrong. One of our tech ops guys said that as long as our CDN seed server sends the header, the CDN itself will send it. Have yet to test it out</span>
&ndash;&nbsp;<a href="/users/122422/b-t"
title="9908 reputation"
class="comment-user">B T</a>
<span class="comment-date" dir="ltr"><span title="2011-04-04 23:52:28Z" class="relativetime-clean">Apr 4 '11 at 23:52</span></span>
</div>
</td>
</tr>
<tr id="comment-19835066" class="comment ">
<td class="comment-actions">
<table>
<tbody>
<tr>
<td class=" comment-score">
<span title="number of &#39;useful comment&#39; votes received"
class="warm">6</span>
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">If caches or CDNs are a concern, use the Vary header to tell the cache/CDN to keep separate responses for different Origin request header values. You would include a header like &quot;Vary: Origin&quot; in your response. The cache/CDN then knows that it should send one response to a request with header &quot;Origin: <a href="http://foo.example.com&quot" rel="nofollow">foo.example.com&quot</a>;, and a different response to a request with header &quot;Origin: <a href="http://bar.example.com&quot" rel="nofollow">bar.example.com&quot</a>;.</span>
&ndash;&nbsp;<a href="/users/302898/sean"
title="960 reputation"
class="comment-user">Sean</a>
<span class="comment-date" dir="ltr"><span title="2013-01-11 18:32:31Z" class="relativetime-clean">Jan 11 '13 at 18:32</span></span>
<span class="edited-yes" title="this comment was edited 1 time"></span>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<div id="comments-link-2303353" data-rep=50 data-anon=true>
<a class="js-add-link comments-link disabled-link "
title="Use comments to ask for more information or suggest improvements. Avoid comments like “+1” or “thanks”."
>add a comment</a><span class="js-link-separator dno">&nbsp;|&nbsp;</span>
<a class="js-show-link comments-link dno" title="expand to show all comments on this post" href=# onclick=""></a>
</div>
</td>
</tr> </table>
</div>
<a name="14034228"></a>
<div id="answer-14034228" class="answer" data-answerid="14034228" itemscope itemtype="http://schema.org/Answer">
<table>
<tr>
<td class="votecell">
<div class="vote">
<input type="hidden" name="_id_" value="14034228">
<a class="vote-up-off" title="This answer is useful">up vote</a>
<span itemprop="upvoteCount" class="vote-count-post ">13</span>
<a class="vote-down-off" title="This answer is not useful">down vote</a>
</div>
</td>
<td class="answercell">
<div class="post-text" itemprop="text">
<p>Here is what i did for a PHP application which is being requested by AJAX</p>
<pre><code>$request_headers = apache_request_headers();
$http_origin = $request_headers['Origin'];
$allowed_http_origins = array(
"http://myDumbDomain.com" ,
"http://anotherDumbDomain.com" ,
"http://localhost" ,
);
if (in_array($http_origin, $allowed_http_origins)){
@header("Access-Control-Allow-Origin: " . $http_origin);
}
</code></pre>
<p>If the requesting origin is allowed by my server, return the <code>$http_origin</code> itself as value of the <code>Access-Control-Allow-Origin</code> header instead of returning a <code>*</code> wildcard, </p>
</div>
<table class="fw">
<tr>
<td class="vt">
<div class="post-menu"><a href="/a/14034228" title="short permalink to this answer" class="short-link" id="link-post-14034228">share</a><span class="lsep">|</span><a href="/posts/14034228/edit" class="suggest-edit-post" title="">improve this answer</a></div> </td>
<td align="right" class="post-signature">
<div class="user-info ">
<div class="user-action-time">
answered <span title="2012-12-25 21:48:57Z" class="relativetime">Dec 25 '12 at 21:48</span>
</div>
<div class="user-gravatar32">
<a href="/users/636762/syedrakib"><div class="gravatar-wrapper-32"><img src="https://www.gravatar.com/avatar/52351c68bff7878307faa6ad4056cb27?s=32&amp;d=identicon&amp;r=PG" alt="" width="32" height="32"></div></a>
</div>
<div class="user-details">
<a href="/users/636762/syedrakib">syedrakib</a><br>
<span class="reputation-score" title="reputation score " dir="ltr">1,780</span><span title="2 gold badges"><span class="badge1"></span><span class="badgecount">2</span></span><span title="17 silver badges"><span class="badge2"></span><span class="badgecount">17</span></span><span title="46 bronze badges"><span class="badge3"></span><span class="badgecount">46</span></span>
</div>
</div>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td class="votecell"></td>
<td>
<div id="comments-14034228" class="comments dno">
<table>
<tbody data-remaining-comments-count="0"
data-canpost="false"
data-cansee="true"
data-comments-unavailable="false"
data-addlink-disabled="true">
<tr><td></td><td></td></tr>
</tbody>
</table>
</div>
<div id="comments-link-14034228" data-rep=50 data-anon=true>
<a class="js-add-link comments-link disabled-link "
title="Use comments to ask for more information or suggest improvements. Avoid comments like “+1” or “thanks”."
>add a comment</a><span class="js-link-separator dno">&nbsp;|&nbsp;</span>
<a class="js-show-link comments-link dno" title="expand to show all comments on this post" href=# onclick=""></a>
</div>
</td>
</tr> </table>
</div>
<a name="22331292"></a>
<div id="answer-22331292" class="answer" data-answerid="22331292" itemscope itemtype="http://schema.org/Answer">
<table>
<tr>
<td class="votecell">
<div class="vote">
<input type="hidden" name="_id_" value="22331292">
<a class="vote-up-off" title="This answer is useful">up vote</a>
<span itemprop="upvoteCount" class="vote-count-post ">11</span>
<a class="vote-down-off" title="This answer is not useful">down vote</a>
</div>
</td>
<td class="answercell">
<div class="post-text" itemprop="text">
<p>For multiple domains, in your .htaccess:</p>
<pre><code>&lt;IfModule mod_headers.c&gt;
SetEnvIf Origin "http(s)?://(www\.)?(domain1.org|domain2.com)$" AccessControlAllowOrigin=$0$1
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials true
&lt;/IfModule&gt;
</code></pre>
</div>
<table class="fw">
<tr>
<td class="vt">
<div class="post-menu"><a href="/a/22331292" title="short permalink to this answer" class="short-link" id="link-post-22331292">share</a><span class="lsep">|</span><a href="/posts/22331292/edit" class="suggest-edit-post" title="">improve this answer</a></div> </td>
<td align="right" class="post-signature">
<div class="user-info user-hover">
<div class="user-action-time">
answered <span title="2014-03-11 16:51:01Z" class="relativetime">Mar 11 '14 at 16:51</span>
</div>
<div class="user-gravatar32">
<a href="/users/1140227/george"><div class="gravatar-wrapper-32"><img src="https://i.stack.imgur.com/JLyN0.jpg?s=32&amp;g=1" alt="" width="32" height="32"></div></a>
</div>
<div class="user-details">
<a href="/users/1140227/george">George</a><br>
<span class="reputation-score" title="reputation score " dir="ltr">2,602</span><span title="4 gold badges"><span class="badge1"></span><span class="badgecount">4</span></span><span title="20 silver badges"><span class="badge2"></span><span class="badgecount">20</span></span><span title="40 bronze badges"><span class="badge3"></span><span class="badgecount">40</span></span>
</div>
</div>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td class="votecell"></td>
<td>
<div id="comments-22331292" class="comments ">
<table>
<tbody data-remaining-comments-count="0"
data-canpost="false"
data-cansee="true"
data-comments-unavailable="false"
data-addlink-disabled="true">
<tr id="comment-41010566" class="comment ">
<td>
<table>
<tbody>
<tr>
<td class=" comment-score">
&nbsp;&nbsp;
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">This snippet works perfectly for me. But I don&#39;t understand what it does :D</span>
&ndash;&nbsp;<a href="/users/1059828/abimelex"
title="2355 reputation"
class="comment-user">abimelex</a>
<span class="comment-date" dir="ltr"><span title="2014-10-02 11:51:57Z" class="relativetime-clean">Oct 2 '14 at 11:51</span></span>
</div>
</td>
</tr>
<tr id="comment-49416519" class="comment ">
<td>
<table>
<tbody>
<tr>
<td class=" comment-score">
&nbsp;&nbsp;
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">this worked for me, although i had to add a &#39;^&#39; i.e.... SetEnvIf Origin &quot;^http(s)?://(www\.)?</span>
&ndash;&nbsp;<a href="/users/414092/gypsydev"
title="128 reputation"
class="comment-user">gypsyDev</a>
<span class="comment-date" dir="ltr"><span title="2015-06-06 00:04:25Z" class="relativetime-clean">Jun 6 at 0:04</span></span>
<span class="edited-yes" title="this comment was edited 1 time"></span>
</div>
</td>
</tr>
<tr id="comment-50298005" class="comment ">
<td>
<table>
<tbody>
<tr>
<td class=" comment-score">
&nbsp;&nbsp;
</td>
<td>
&nbsp;
</td>
</tr>
</tbody>
</table>
</td>
<td class="comment-text">
<div style="display: block;" class="comment-body">
<span class="comment-copy">It does pretty much the same as <a href="http://stackoverflow.com/a/14034228/209139">stackoverflow.com/a/14034228/209139</a>. It&#39;s just that .htaccess syntax is a lot harder to read than PHP. <code>Header set Vary Origin</code> would be a nice addition to this answer.</span>
&ndash;&nbsp;<a href="/users/209139/trig"
title="4593 reputation"
class="comment-user">TRiG</a>
<span class="comment-date" dir="ltr"><span title="2015-06-30 16:36:16Z" class="relativetime-clean">Jun 30 at 16:36</span></span>
</div>
</td>
</tr>
</tbody>
</table>