How to implement CORS (Access-Control-Allow-Origin) correctly?

6.7k Views Asked by burnersk At 15 April 2025 at 04:37

I would like to access an third party resource (on another domain) via XML HTTP Requests (XHR, AJAX).

I setup CORS as follows (on both sides - target and origin):

Access-Control-Allow-Origin: http://www.example.com, https://www.example.com, http://www.example.org, https://www.example.org
Access-Control-Allow-Methods: GET, POST, HEAD, OPTIONS

Chrome, Firefox and Internet Explorer reject the XHR to https://www.example.org/foo when calling it on http://www.example.com/bar.

Most detailed error message is from Firefox:

XMLHttpRequest cannot load https://www.example.org/foo. The 'Access-Control-Allow-Origin' header contains multiple values 'http://www.example.com, https://www.example.com, http://www.example.org, https://www.example.org', but only one is allowed. Origin 'http://www.example.com' is therefore not allowed access.

That error confuses me extremely. It's like "Hey, you are A and want to talk to B but B only accept A, B. So you cannot talk to B". WTF?

How to implement CORS (Access-Control-Allow-Origin) correctly?

Original Q&A

There are 1 best solutions below

Quentin On 18 November 2014 at 14:38 BEST ANSWER

Access-Control-Allow-Origin only accepts * or a single origin.

If you want to support multiple origins but not all of them, then you must:

look at the Origin request header
check if it is on your list of acceptable origins
put it in the Access-Control-Allow-Origin response header

How to implement CORS (Access-Control-Allow-Origin) correctly?

There are 1 best solutions below

Related Questions in JAVASCRIPT

Related Questions in AJAX

Related Questions in XMLHTTPREQUEST

Related Questions in CORS

Related Questions in ACCESS-CONTROL

Trending Questions

Popular # Hahtags

Popular Questions