CORS missmatch because of http

It looks like you want to allow requests for the main domain and a subdomain. CORS specification does not permit that in a single header. Either the exact domain or '*'. You have to dynamically check the domain and set that in the header.

With NGINX:

 server {    root /path/to/your/stuff;    index index.html index.htm;     set $cors "";    if ($http_origin ~* (.*\.domain.com)) {        set $cors "true";    }    server_name domain.com;    location / {        if ($cors = "true") {            add_header 'Access-Control-Allow-Origin' "$http_origin";            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE, PUT';            add_header 'Access-Control-Allow-Credentials' 'true';            add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-Alive,Content-Type';        }        if ($request_method = OPTIONS) {            return 204;        }    }}

More here.

With PHP

Examine $_SERVER['HTTP_HOST'] and search it for your desired (sub)domains, and then conditionally set your CORS headers with PHP.

So, something like this:

$allowed_hosts = array('sub.domain.app', 'domain.app');if (in_array($allowed_hosts, $_SERVER['HTTP_HOST'])) {  header('Access-Control-Allow-Origin: '.$_SERVER['HTTP_HOST']);}

The page where you would like to get your result by ajax at the top of this page add the following :

<?php header('Access-Control-Allow-Origin: *'); ?>

it will solve your problem.