Access-Control-Allow-Origin Limit

Question

Access-Control-Allow-Origin Limit

I created our public site with the title Access-Control-Allow-Origin: * so that we can use JSON and AJAX. However, what I really want to do is limit it to just a few servers. Requests should come from only a few servers that we manage. I had problems finding a job without adding code (psuedo-code example):

for each domain in myDomains addheader Access-Control-Allow-Origin: domain next

Can I just add multiple “Access-Control-Allow-Origin” in IIS on the “HTTP Headers” tab? I know you can really add it to IIS, but does it work?

Example:

 Access-Control-Allow-Origin: http://domain1 Access-Control-Allow-Origin: http://domain2 Access-Control-Allow-Origin: http://127.0.0.1 (use using home as IP example)

Using Access-Control-Allow-Origin: * is simply not safe.

+4

asp.net http-headers cors iis-6

Stanley Glass Jr Jun 11 '13 at 14:48

source share

1 answer

monsur · Accepted Answer · 2013-06-11T15:10:24+0000

No, multiple Access-Control-Allow-Origin headers are not valid. You can have only one Access-Control-Allow-Origin response header, and this header can have only one start value or * (for example, you cannot have multiple spatial sections).

Your best option is to read the Origin incoming header, check its value on the white list, and only generate the Access-Control-Allow-Origin header, if Genesis is allowed. Here is an example in pseudo code:

 origin = request.getHeader('Origin'); for each domain in myDomains if (domain == origin) // Add header if the origin is whitelisted addheader Access-Control-Allow-Origin: domain return // Otherwise exit the for loop without adding any headers.

Access-Control-Allow-Origin Limit

More articles: