Forum Discussion

Nimbostratus

Sep 21, 2015

CORS with multiple domains

I'm trying to catch the multiple domains in Header:Origin for CORS implementation with no luck. It gets only one domain. Does anybody know the solution ? HTTP_Request: if {([HTTP::host] equals "ww...

Cirrus

Oct 08, 2015

Although in theory the Origin request header (and, by extension, the Access-Control-Allow-Origin response header) allow multiple comma-separated values, see the note at the bottom (from http://www.w3.org/TR/cors/access-control-allow-origin-response-header):

The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. ABNF:

Access-Control-Allow-Origin = "Access-Control-Allow-Origin" ":" origin-list-or-null | "*"

In practice the origin-list-or-null production is more constrained. Rather than allowing a space-separated list of origins, it is either a single origin or the string "null".

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

CORS with multiple domains

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

How can I get started with iCall

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Related Content

CORS implementation

Using n8n To Orchestrate Multiple Agents

APM Cookbook: Multiple Domain Authentication - Part 1

Adding CORS response headers

Enriching AFM with public domain Threat Intelligence

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS