Access-Control-Allow-Origin
response header is a part of a Cross-Origin Resource Sharing (CORS) mechanism that lets browsers get access to selected resources from a domain different to a domain from which the request is received.
The option sends a response with an Access-Control-Allow-Origin
header in a response to a browser and can help to:
- protect content from using at third-party sites or in third-party applications.
- prevent "XMLHttpRequest cannot load http://domain.ru. No’Access-Control-Allow-Origin’ header is present on the requested resource" error.
How CORS mechanism works?
For example, a user of http://domain1.com.
opens an image that placed on http://cdn-domain.com/image.jpg.
In this case, a user's browser sends e.g. the following request to the server of http://cdn-domain.com/image.jpg
:
GET /image HTTP/1.1
Host: domain2.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081130 Minefield/3.1b3pre
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://domain1.com/examples/access-control/test.html
Origin: http://domain1.com
In this request the most valuable header is Origin
. It tells the server that the request is sent from http://domain1.com.
The server of http://cdn-domain.com/image.jpg
read the Origin
header and accept or reject the request.
If the server accepts the request, it responds to the browser with the Access-Control-Allow-Origin
header. This header allows displaying the requested image for the http://domain1.com
user.
Important! Header parameters (in the example below- "*") depend on the server configuration. Read in detail about this and reasons for accepting and rejecting the request here.
HTTP/1.1 200 OK
Date: Mon, 01 Dec 2020 00:23:53 GMT
Server: Apache/2.0.61
Access-Control-Allow-Origin: *
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/xml
[XML Data]
If the request is not processed by the server, the response to the browser will be sent without Access-Control-Allow-Origin
header and the requested image will not be displayed.
How to configure Access-Control-Allow-Origin
in a personal account.
Go to Advanced Settings in the resource settings. Add the HTTP-header Access-Control-Allow-Origin option from the Access (Security) section.
There are three variants on how to configure this option:
1. *, for all domains: the content can be accessed from any domain.
In this case CDN will send Access-Control-Allow-Origin
header to the browser with the "*" parameter and the content will be available to view.
HTTP/1.1 200 OK
Date: Mon, 01 Dec 2020 00:23:53 GMT
Server: Apache/2.0.61
Access-Control-Allow-Origin: *
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/xml
2. "$http_origin" if an origin is listed below: the content can be accessed only from domains listed in the option field, the domain from which the request was sent will be added to the response.
When a request is received, the CDN matches the Origin
header value and the domains that are specified for the HTTP-Access-Control-Allow-Origin option.
If the Origin
header value matches one of the specified domains, the CDN adds the Access-Control-Allow-Origin
header to the response with the requested domain.
If the Origin header value does not match specified domains, the Access-Control-Allow-Origin
header is not added and the content will not be displayed.
! You can enter up to 20 domains.
For example, in the option settings cdn-domain.com is set:
In this case, if the request for your content is sent from cdn-domain.com
, the user's browser gets the following response and the content will be displayed.
HTTP/1.1 200 OK
Date: Mon, 01 Dec 2008 00:23:53 GMT
Server: Apache/2.0.61
Access-Control-Allow-Origin: https://cdn-domain.com
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/xml
If the request is sent not from cdn-domain.com
, then Access-Control-Allow-Origin
header will not be added to the response to the browser and content will not be displayed.
3. "$http_origin", for all domains: the content can be accessed from any domain and the domain from which the request was sent will be added to the response.
This variant of the option is the same as the first variant, but there is a difference in the response that gets the browser from the server in case of a successful request. The domain from which the request was sent will be added to Access-Control-Allow-Origin
header.
In this case, if the request for your content is sent e.g. from cdn-domain.com
, then this domain will be added to the Access-Control-Allow-Origin
response header and the content will be displayed for a user of cdn-domain.com
.
HTTP/1.1 200 OK
Date: Mon, 01 Dec 2008 00:23:53 GMT
Server: Apache/2.0.61
Access-Control-Allow-Origin: https://cdn-domain.com
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/xml
This option can be useful if for setting specific filtering on the server the "*" parameter is not suitable.
All the files delivered by CDN will contain Access-Control-Allow-Origin Header.
Rules
Configure Access-Control-Allow-Origin Header only for certain files via Rules.
Go to Advanced Settings -> the Security section -> the HTTP-header Access-Control-Allow-Origin option.
If the option is not added to the list, CDN uses the CDN Resource settings for the HTTP-header Access-Control-Allow-Origin option.
If you add an option to the list but do not enable it, the Access-Control-Allow-Origin header will not be added.