Restrict CORS to multiple domains

david.wylie · May 9, 2018, 8:45am

I want to allow CORS from multiple domains, but not all domains.

This works for one domain :

r.headers['Access-Control-Allow-Origin'] = "https://mydomain1.com"

but I cannot work out how to add another. I’ve tried :

# Multiple headers - only allows the second (kinda expected)
r.headers['Access-Control-Allow-Origin'] = "https://mydomain1.com"
r.headers['Access-Control-Allow-Origin'] = "https://mydomain2.com"
# Separated values, only takes the first (tried all forms of delimiter)
r.headers['Access-Control-Allow-Origin'] = "https://mydomain1,https://mydomain2.com"
# Array & dict
r.headers['Access-Control-Allow-Origin'] = ["https://mydomain1.com","https://mydomain2.com"]
r.headers['Access-Control-Allow-Origin'] = {"https://mydomain1.com","https://mydomain2.com"}

Can’t think of anything else?

mattstibbs · May 9, 2018, 12:32pm

I think this might be a restriction of the Allow-Access-Control-Origin header spec - could you dynamically return the header for the correct domain depending on the domain that the request was made against?

david.wylie · May 9, 2018, 12:37pm

Yeah, that’s what I’m working through now. Just wanted to make sure I wasn’t missing anything.
Cheers.