Is this is valid Access-Control-Allow-Origin?

This is my http endpoint return:

    return new Response(null, {
      status: 200,
      headers: new Headers({
        "Access-Control-Allow-Origin": "*.xyz.com",
      }),
    });

    return new Response(null, {
      status: 200,
      headers: new Headers({
        "Access-Control-Allow-Origin": "*.xyz.com",
      }),
    });

Would this be valid? "Access-Control-Allow-Origin": "*.xyz.com" ? If not, is there a workaround? Sorry, too lazy to test myself.

2 Replies

aheimlich•15mo ago

Access-Control-Allow-Origin can only accept a single value: Either a full domain name, or * (any origin). If you have multiple domains that you want to allow: - Maintain a list of said domains (i.e. stick them in an array somewhere) - When a request comes in from an allowed domain, send the Access-Control-Allow-Origin: <insert domain here> header - When a request comes in from a not-allowed domain, DO NOT send the Access-Controll-Allow-Origin header More info: https://devdocs.io/http/headers/access-control-allow-origin https://devdocs.io/http/cors

sshader•15mo ago

(for CORS things in general, I'm a fan of going through https://httptoolkit.com/will-it-cors/)

Is this is valid Access-Control-Allow-Origin?

Did you find this page helpful?