user3980196 user3980196 - 3 months ago 31
Apache Configuration Question

Issues with Header set Access-Control-Allow-Origin

I have the following in my .htaccess file:

Header set Access-Control-Allow-Origin: "*"

It works perfectly! But it is bad security practise.

When I change it to:

Header set Access-Control-Allow-Origin: ""

I get the following error:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at (Reason: CORS header 'Access-Control-Allow-Origin' does not match '').

How do I handle this?


From the live site:

Font from origin '' has been blocked from loading by Cross-Origin Resource Sharing policy: The 'Access-Control-Allow-Origin' header has a value '' that is not equal to the supplied origin. Origin '' is therefore not allowed access.

From a comment from the OP:

Please note, I get this error when accessing the website through instead of

That is your problem.

If you give permission to but not to then you can't access it from

Permissions are on a per-origin basis, not on a per-second-level-domain basis.

Pick one of the two host names (with or without www) and stick to it. Redirect from one to the other. Don't host your site on two different host names. Doing so is more trouble than it is worth.