Specify Multiple Subdomains with Access Control Origin
The solution to this issue is to use the $_SERVER['HTTP_ORIGIN']
variable to determine whether the request has come from an allowed domain, and then conditionally set the Access-Control-Allow-Origin
like so:
$allowed_domains = [/* Array of allowed domains*/];if (in_array($_SERVER['HTTP_ORIGIN'], $allowed_domains)) { header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']);}
Here's how I did it.
The Origin
header is specified by the browser and will contain the domain that requested the script on the other domain:
Origin: http://www.websiteA.com
Therefore you can "whitelist" multiple domains in your server-side script:
$allowedOrigins = [ "http://www.websiteA.com", "https://www.websiteB.com" // ... etc];
What you can then do is check if the $_SERVER["HTTP_ORIGIN"]
global contains a domain within that whitelist:
if (in_array($_SERVER["HTTP_ORIGIN"], $allowedOrigins)) {
And set the Access-Control-Allow-Origin
response header to whatever Origin
header value was:
header("Access-Control-Allow-Origin: " . $_SERVER["HTTP_ORIGIN"]);
Full script:
$allowedOrigins = [ "http://www.websiteA.com", "https://www.websiteB.com" // ... etc];if (in_array($_SERVER["HTTP_ORIGIN"], $allowedOrigins)) { header("Access-Control-Allow-Origin: " . $_SERVER["HTTP_ORIGIN"]);}
While the answer works, it does defeat the purpose of the whole thing, since it allows requests from any host.
I use something like:
if(isset($_SERVER['HTTP_ORIGIN'])) { $origin = $_SERVER['HTTP_ORIGIN']; if($origin == 'https://sub1.my-website.com' OR $origin == 'https://sub2.my-website.com') { header("Access-Control-Allow-Origin: $origin"); }}