How do I use Access-Control-Allow-Origin? Does it just go in between the html head tags?

There are 3 ways to allow cross domain origin (excluding jsonp):

  1. Set the header in the page directly using a templating language like PHP. Keep in mind there can be no HTML before your header or it will fail.

  2. Modify the server configuration file (apache.conf) and add this line. Note that "*" represents allow all. Some systems might also need the credential set. In general allow all access is a security risk and should be avoided:

    Header set Access-Control-Allow-Origin “*”
    Header set Access-Control-Allow-Credentials true

  3. To allow multiple domains on Apache web servers add the following to your config file

    SetEnvIf Origin “http(s)?://(www\.)?(|$” AccessControlAllowOrigin=$0$1
    Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    Header set Access-Control-Allow-Credentials true

  4. For development use only hack your browser and allow unlimited CORS using the Chrome Allow-Control-Allow-Origin extension

  5. Disable CORS in Chrome: Quit Chrome completely. Open a terminal and execute the following. Just be cautious you are disabling web security:

    open -a Google\ Chrome –args –disable-web-security –user-data-dir

Leave a Comment