kstulgys
kstulgys4mo ago

Is this is valid Access-Control-Allow-Origin?

This is my http endpoint return:
return new Response(null, {
status: 200,
headers: new Headers({
"Access-Control-Allow-Origin": "*.xyz.com",
}),
});
return new Response(null, {
status: 200,
headers: new Headers({
"Access-Control-Allow-Origin": "*.xyz.com",
}),
});
Would this be valid? "Access-Control-Allow-Origin": "*.xyz.com" ? If not, is there a workaround? Sorry, too lazy to test myself.
2 Replies
aheimlich
aheimlich4mo ago
Access-Control-Allow-Origin can only accept a single value: Either a full domain name, or * (any origin). If you have multiple domains that you want to allow: - Maintain a list of said domains (i.e. stick them in an array somewhere) - When a request comes in from an allowed domain, send the Access-Control-Allow-Origin: <insert domain here> header - When a request comes in from a not-allowed domain, DO NOT send the Access-Controll-Allow-Origin header More info: https://devdocs.io/http/headers/access-control-allow-origin https://devdocs.io/http/cors
sshader
sshader4mo ago
(for CORS things in general, I'm a fan of going through https://httptoolkit.com/will-it-cors/)

Did you find this page helpful?