PHP – Access-Control-Allow-Origin Syntax

ajaxcorscross-domainhttpphp

I want allow Cross-origin resource sharing from all the sub-domain of from.example.com.
So I added Cross-origin resource sharing header as given below to a page in subdomain1.to.example.com.

<?php header('Access-Control-Allow-Origin: *.from.example.com');

And I tried to access the page form subdomain1.from.example.com using ajax.
I didn't get the response. So I just changed the above header as given below.

<?php header('Access-Control-Allow-Origin: http://subdomain1.from.example.com');

It works well for the subdomain1.from.example.com only.

What was the issue with first header?

Best Answer

Wildcards are not allowed in the Access-Control-Allow-Origin header. It has to be an exact match. You can either allow all domains by setting the value to *, or conditionally echo the value of the Origin request header if it matches one of your allowed domains.

Note that the Origin spec allows for multiple origins separated by a space. However I am not sure if this works with the Access-Control-Allow-Origin header. It may be worth a try.

Related Solutions

JavaScript – How to Bypass Access-Control-Allow-Origin

Put this on top of retrieve.php:

header('Access-Control-Allow-Origin: *');

Note that this effectively disables CORS protection, and leaves your users exposed to attack. If you're not completely certain that you need to allow all origins, you should lock this down to a more specific origin:

header('Access-Control-Allow-Origin: https://www.example.com');

Please refer to following stack answer for better understanding of Access-Control-Allow-Origin

Further more you can read more about CORS here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin

https://stackoverflow.com/a/10636765/413670

JavaScript CORS – Fix ‘Origin is Not Allowed by Access-Control-Allow-Origin’

I wrote an article on this issue a while back, Cross Domain AJAX.

The easiest way to handle this if you have control of the responding server is to add a response header for:

Access-Control-Allow-Origin: *

This will allow cross-domain Ajax. In PHP, you'll want to modify the response like so:

<?php header('Access-Control-Allow-Origin: *'); ?>

You can just put the Header set Access-Control-Allow-Origin * setting in the Apache configuration or htaccess file.

It should be noted that this effectively disables CORS protection, which very likely exposes your users to attack. If you don't know that you specifically need to use a wildcard, you should not use it, and instead you should whitelist your specific domain:

<?php header('Access-Control-Allow-Origin: http://example.com') ?>

Best Answer

Related Solutions

JavaScript – How to Bypass Access-Control-Allow-Origin

JavaScript CORS – Fix ‘Origin is Not Allowed by Access-Control-Allow-Origin’

Related Question