Forum Discussion

tntlt_92978's avatar
tntlt_92978
Icon for Nimbostratus rankNimbostratus
Sep 21, 2015

CORS with multiple domains

I'm trying to catch the multiple domains in Header:Origin for CORS implementation with no luck. It gets only one domain. Does anybody know the solution ?

HTTP_Request:
if {([HTTP::host] equals "www.etc.com") && [HTTP::header exists Origin]} {
        log local0. "[HTTP::host] - [HTTP::header Origin]"
        set origin_host [HTTP::header Origin]
}

HTTP_Response:
if { [info exists origin_host] } {
        HTTP::header insert Access-Control-Allow-Credentials true
        log local0. "Set allow-origin to $origin_host"
        HTTP::header insert Access-Control-Allow-Origin $origin_host
        HTTP::header insert Access-Control-Allow-Headers "cache-control, if-modified-since, x-requested-with, Content-Type, origin, authorization, accept, client-security-token, keycode"

The error I'm receiving:

The 'Access-Control-Allow-Origin' header contains multiple values ' https://www.bbb.com', but only one is allowed. Origin 'https://www.bbb.com' is therefore not allowed access.

application delivery
devops
iRules
LTM

4 Replies

Sort By
  • Rory_Hewitt_F5_'s avatar
    Rory_Hewitt_F5_
    Icon for Cirrus rankCirrus
    Oct 08, 2015

    Although in theory the Origin request header (and, by extension, the Access-Control-Allow-Origin response header) allow multiple comma-separated values, see the note at the bottom (from http://www.w3.org/TR/cors/access-control-allow-origin-response-header):

     

    The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. ABNF:

     

    Access-Control-Allow-Origin = "Access-Control-Allow-Origin" ":" origin-list-or-null | "*"

     

    In practice the origin-list-or-null production is more constrained. Rather than allowing a space-separated list of origins, it is either a single origin or the string "null".