Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

CORS with multiple domains

I'm trying to catch the multiple domains in Header:Origin for CORS implementation with no luck. It gets only one domain. Does anybody know the solution ?

HTTP_Request:
if {([HTTP::host] equals "www.etc.com") && [HTTP::header exists Origin]} {
        log local0. "[HTTP::host] - [HTTP::header Origin]"
        set origin_host [HTTP::header Origin]
}

HTTP_Response:
if { [info exists origin_host] } {
        HTTP::header insert Access-Control-Allow-Credentials true
        log local0. "Set allow-origin to $origin_host"
        HTTP::header insert Access-Control-Allow-Origin $origin_host
        HTTP::header insert Access-Control-Allow-Headers "cache-control, if-modified-since, x-requested-with, Content-Type, origin, authorization, accept, client-security-token, keycode"

The error I'm receiving:

The 'Access-Control-Allow-Origin' header contains multiple values 'https://www.ooo.com, https://www.bbb.com', but only one is allowed. Origin 'https://www.bbb.com' is therefore not allowed access.

0
Rate this Question
Comments on this Question
Comment made 22-Sep-2015 by Jason Rahm
where is that error triggering?
0
Comment made 23-Sep-2015 by tntlt 10
By application logs.
0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Sorry guys, seems it is application issue.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Although in theory the Origin request header (and, by extension, the Access-Control-Allow-Origin response header) allow multiple comma-separated values, see the note at the bottom (from http://www.w3.org/TR/cors/#access-control-allow-origin-response-header):

The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. ABNF:

Access-Control-Allow-Origin = "Access-Control-Allow-Origin" ":" origin-list-or-null | "*"

In practice the origin-list-or-null production is more constrained. Rather than allowing a space-separated list of origins, it is either a single origin or the string "null".

0