Access-Control-Allow-Origin with multiple origin domains (CORS)
Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. [According to developer.mozilla.org]
In your Episerver-site, you can add a single domain to your web.config
file like this.
<configuration>
<system.webserver>
<httpprotocol>
<customheaders>
<add name="Access-Control-Allow-Origin" value="https://www.domain.com" />
</customheaders>
</httpprotocol>
</system.webserver>
</configuration>
You can allow all origins by replacing the domain with *
, but it's not possible to add a list of domains in web.config
.
To allow more than one domain, check the Origin
-header against a list of allowed domains, and return only that domain. Example:
[HttpGet]
public JsonResult Index(string id)
{
var origin = Request.Headers["Origin"];
if (origin == "https://www.domain1.com" || origin == "https://www.domain2.com")
{
Response.AddHeader("Access-Control-Allow-Origin", origin);
}
...
}
That's it!
Found this post helpful? Help keep this blog ad-free by buying me a coffee! ☕