Cross-Domain Ajax, Multiple Site Syntax Issues

[LLLLLLL]

What is the correct syntax for listing multiple domains to be allowed for cross-domain AJAX calls? My code does this:

 

<?php
header("Access-Control-Allow-Origin: http://website.com");

 

This works when website.com is the caller, but not when www.website.com is the caller. So I tried:

 

<?php
header("Access-Control-Allow-Origin: http://website.com http://www.website.com");

 

... and...

 

<?php
header("Access-Control-Allow-Origin: http://website.com, http://www.website.com");

 

But these things don't work. When I say they don't work, I mean that neither website.com nor www.website.com will be able to make the call with those configurations. So right now the only option is to put * and allow everything. I don't want to do that.

 

Is there another header directive or something that I need? I saw something about Access-Control-Allow-Headers: X-Requested-With but that didn't work either.

[scootstah]

The idea is to use PHP (or whatever language) to look at the HTTP origin, and compare it against a list of allowed origins. If you have a match, you send the Access-Control-Allow-Origin header for that request.

[LLLLLLL]

But how do I know the HTTP Origin? From what I undestand, $_SERVER[ 'HTTP_ORIGIN' ] isn't documented.

[kicken]

Just because it isn't documented doesn't mean it isn't there. Do a print_r($_SERVER) and look. Generally all the headers sent in a request will get put into the $_SERVER array with a HTTP_ prefix.

 

 

[LLLLLLL]

I don't have HTTP_ORIGIN in the requests. I've tested on my server and a couple customers. This won't work as a solution.

 

So two questions:

1) What is the expected format to list domains? Comma-separated? Space-separated? Some server setting that determines the separation? It should work.

2) Can I put multiple headers like this? Is it expected and/or good practice?

 

 

<?php

header("Access-Control-Allow-Origin: http://website.com");

header("Access-Control-Allow-Origin: http://www.website.com");

[kicken]

The spec says space separated. Whether browsers allow it or not I don't know, I have not really dealt with such stuff yet.

 

You should have the origin header value somewhere. It's a required header as part of the CORS stuff. If your using a CGI setup you may need to configure the server to forward that header along to PHP.

 

[LLLLLLL]

Not a CGI server, and it's hard to know what all customers may have. I guess * is the only way to go.

[damian1923]

try this

 

 

<?php
  $http_origin = $_SERVER['HTTP_ORIGIN'];
if ($http_origin == "http://www.domain1.com" || $http_origin == "http://www.domain2.com" || $http_origin == "http://www.domain3.info")
{ 
  header('Access-Control-Allow-Origin: *');
}
?>

[LLLLLLL]

As mentioned above, not all servers have HTTP_ORIGIN enabled.

[txmedic03]

$_SERVER['HTTP_REFERER']; You can do something like a preg_match() to check your domains against the HTTP_REFERER and see if you want to send the extra header() to allow cross-domain ajax requests. I'm fairly sure the HTTP_REFERER will do what you are looking for in this case, but lack of sleep may have me convinced of things that aren't necessarily true. I may eventually implement something along these lines for my own purposes, so if it works or you find a better way, don't forget to drop back by here and let me know how it turns out.