I have the following in my .htaccess file:
Header set Access-Control-Allow-Origin: "*"
It works perfectly! But it is bad security practise.
When I change it to:
Header set Access-Control-Allow-Origin: "http://example.com"
I get the following error:
How do I handle this?
From the live site:
Font from origin 'http://arvindint.com' has been blocked from loading by Cross-Origin Resource Sharing policy: The 'Access-Control-Allow-Origin' header has a value 'http://arvindint.com' that is not equal to the supplied origin. Origin 'http://www.arvindint.com' is therefore not allowed access.
From a comment from the OP:
Please note, I get this error when accessing the website through www.example.com instead of example.com
That is your problem.
If you give permission to
example.com but not to
www.example.com then you can't access it from
Permissions are on a per-origin basis, not on a per-second-level-domain basis.
Pick one of the two host names (with or without
www) and stick to it. Redirect from one to the other. Don't host your site on two different host names. Doing so is more trouble than it is worth.