Fixing Access-Control-Allow-Origin (CORS origin) for multiple subdomains

Following from my previous question Is it safe to fix Access-Control-Allow-Origin (CORS origin) errors with a php header directive?

The only solution that worked for me was:

header("Access-Control-Allow-Origin: http://mozilla.com");

However, I have 4 subdomains that I need to enable them to access the data on the main domain.

I tried to repeat the command, like this:

header("Access-Control-Allow-Origin: http://site1.com");
header("Access-Control-Allow-Origin: http://site2.com");
header("Access-Control-Allow-Origin: http://site3.com");

but it did not work.

I tried the solution posted by @yesthatguy in this response to this question: Access-Control-Allow-Origin Multiple Origin Domains?

I used this code:

IfModule mod_headers.c
SetEnvIf Origin "http(s)?://(www\.)?(audio.coptic-treasures.com|video.coptic-treasures.com|text.coptic-treasures.com)$" AccessControlAllowOrigin=$0$1
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials true

But it did not work. I get the following error:

XMLHttpRequest cannot load https://coptic-treasures.com/wp-json/frm/v2/forms/6?return=html. The 'Access-Control-Allow-Origin' header contains multiple values 'https://audio.coptic-treasures.com, https://audio.coptic-treasures.coms', but only one is allowed. Origin 'https://audio.coptic-treasures.com' is therefore not allowed access.

I do not have a duplication of any urls.

Then I read in the W3.org article regarding CORS, section 6.4 the following:

Resources that wish to enable themselves to be shared with multiple Origins but do not respond uniformly with "*" must in practice generate the Access-Control-Allow-Origin header dynamically in response to every request they wish to allow. As a consequence, authors of such resources should send a Vary: Origin HTTP header or provide other appropriate control directives to prevent caching of such responses, which may be inaccurate if re-used across-origins.

I appreciate any help in implementing the w3.org recommendations.

Also, I don't currently have any caching or CDN, but in the live site, both will be active.

Thanks in advance.

Topic browser-compatibility headers htaccess api Wordpress

Category Web

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.