Access-Control-Allow-Origin

From annawiki
https://www.w3.org/TR/cors/#access-control-allow-origin-response-header
In practice the origin-list-or-null production is more constrained. 
Rather than allowing a space-separated list of origins, it is either a single origin or the string "null".

multiple values

  • seperator in Apache can be comma - no space after comma!
  • multiple values rejected by Chrome

Store list in Apache and only return the matched one

https://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains
# ----------------------------------------------------------------------
# Allow loading of external fonts
# ----------------------------------------------------------------------
<FilesMatch "\.(ttf|otf|eot|woff)$">
   <IfModule mod_headers.c>
       SetEnvIf Origin "http(s)?://(www\.)?(google.com|staging.google.com|development.google.com|otherdomain.example|dev02.otherdomain.example)$" AccessControlAllowOrigin=$0
       Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
       Header merge Vary Origin
   </IfModule>
</FilesMatch>