Question

22

Specify Multiple Subdomains with Access Control Origin

rated 0 times [ 25] [ 3] / answers: 1 / hits: 45475 / 13 Years ago, fri, march 9, 2012, 12:00:00

I am trying to allow access to every subdomain on my site in order to allow cross subdomain AJAX calls. Is there a way to specify all subdomains of a site like *.example.com or alternatively, why does the following not work when I have more than one domain listed:

header('Access-Control-Allow-Origin: http://api.example.com http://www.example.com');

I have read through the following question which appears to be similar, if not the same as this one, other than the fact that I want access to subdomains and this one refers to general domains.

Access-Control-Allow-Origin Multiple Origin Domains?

If the above question is the solution to this problem, then how am I able to retrieve the origin from the header. It appears that $_SERVER['HTTP_ORIGIN'] is very unreliable and not even cross browser. I need to be able to see the origin in any browser that may show an error when trying to send an AJAX call using javascript.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

seth

Add To Favorites

Follow

Total Points: 307

Total Questions: 114

Total Answers: 96

Location: Kenya

Member since Mon, Jun 14, 2021

3 Years ago

seth questions

1 NextJS: Reload iFrame from another component

Tue, Feb 8, 22, 00:00, 2 Years ago

1 Storybook not showing styles

Thu, Dec 24, 20, 00:00, 4 Years ago

1 Debugging with VSCODE not working in a Webpack + Typescript + no-framework

Mon, May 18, 20, 00:00, 4 Years ago

1 How to set dynamic html tag according to props in Svelte

Sun, Apr 19, 20, 00:00, 4 Years ago

1 Unable to pass props in Next

Thu, Apr 9, 20, 00:00, 4 Years ago

View All

answered 13 Years ago rohan · Accepted Answer

The solution to this issue is to use the $_SERVER['HTTP_ORIGIN'] variable to determine whether the request has come from an allowed domain, and then conditionally set the Access-Control-Allow-Origin like so:

$allowed_domains = [/* Array of allowed domains*/];



if (in_array($_SERVER['HTTP_ORIGIN'], $allowed_domains)) {

    header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']);

}