CORS missmatch because of http
It looks like you want to allow requests for the main domain and a subdomain. CORS specification does not permit that in a single header. Either the exact domain or '*'. You have to dynamically check the domain and set that in the header.
With NGINX:
server { root /path/to/your/stuff; index index.html index.htm; set $cors ""; if ($http_origin ~* (.*\.domain.com)) { set $cors "true"; } server_name domain.com; location / { if ($cors = "true") { add_header 'Access-Control-Allow-Origin' "$http_origin"; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE, PUT'; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-Alive,Content-Type'; } if ($request_method = OPTIONS) { return 204; } }}
With PHP
Examine $_SERVER['HTTP_HOST']
and search it for your desired (sub)domains, and then conditionally set your CORS headers with PHP.
So, something like this:
$allowed_hosts = array('sub.domain.app', 'domain.app');if (in_array($allowed_hosts, $_SERVER['HTTP_HOST'])) { header('Access-Control-Allow-Origin: '.$_SERVER['HTTP_HOST']);}
The page where you would like to get your result by ajax at the top of this page add the following :
<?php header('Access-Control-Allow-Origin: *'); ?>
it will solve your problem.