Is this is valid Access-Control-Allow-Origin?
This is my http endpoint return:
Would this be valid?
"Access-Control-Allow-Origin": "*.xyz.com"
? If not, is there a workaround?
Sorry, too lazy to test myself.2 Replies
Access-Control-Allow-Origin
can only accept a single value: Either a full domain name, or *
(any origin).
If you have multiple domains that you want to allow:
- Maintain a list of said domains (i.e. stick them in an array somewhere)
- When a request comes in from an allowed domain, send the Access-Control-Allow-Origin: <insert domain here>
header
- When a request comes in from a not-allowed domain, DO NOT send the Access-Controll-Allow-Origin
header
More info:
https://devdocs.io/http/headers/access-control-allow-origin
https://devdocs.io/http/cors