Access-Control-Allow-Origin syntax
Wildcards are not allowed in the Access-Control-Allow-Origin
header. It has to be an exact match. You can either allow all domains by setting the value to *
, or conditionally echo the value of the Origin
request header if it matches one of your allowed domains.
Note that the Origin spec allows for multiple origins separated by a space. However I am not sure if this works with the Access-Control-Allow-Origin
header. It may be worth a try.