Forum Discussion
NimbostratusCORS with multiple domains
I'm trying to catch the multiple domains in Header:Origin for CORS implementation with no luck. It gets only one domain. Does anybody know the solution ?
HTTP_Request:
if {([HTTP::host] equals "www.etc.com") && [HTTP::header exists Origin]} {
log local0. "[HTTP::host] - [HTTP::header Origin]"
set origin_host [HTTP::header Origin]
}
HTTP_Response:
if { [info exists origin_host] } {
HTTP::header insert Access-Control-Allow-Credentials true
log local0. "Set allow-origin to $origin_host"
HTTP::header insert Access-Control-Allow-Origin $origin_host
HTTP::header insert Access-Control-Allow-Headers "cache-control, if-modified-since, x-requested-with, Content-Type, origin, authorization, accept, client-security-token, keycode"
The error I'm receiving:
The 'Access-Control-Allow-Origin' header contains multiple values ' https://www.bbb.com', but only one is allowed. Origin 'https://www.bbb.com' is therefore not allowed access.
4 Replies
- JRahm
Admin
where is that error triggering? 
tntlt_92978By application logs.- tntlt_92978
Sorry guys, seems it is application issue.
Rory_Hewitt_F5_Cirrus
Although in theory the Origin request header (and, by extension, the Access-Control-Allow-Origin response header) allow multiple comma-separated values, see the note at the bottom (from http://www.w3.org/TR/cors/access-control-allow-origin-response-header):
The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. ABNF:
Access-Control-Allow-Origin = "Access-Control-Allow-Origin" ":" origin-list-or-null | "*"
In practice the origin-list-or-null production is more constrained. Rather than allowing a space-separated list of origins, it is either a single origin or the string "null".
