如何根据允许的来源列表设置 Access-Control-Allow-Origin 标头的值？

Question

I have read quite a lot of posts but none of them worked though.

I have ec2 setup in aws installed with ubuntu 16.04 and nginx. went into the site-available / site-enabled to 'Access-Control-Allow-Origin' allowing one domain access, but how can I add more than one domain access?

I would get multiple values error if I add more than one accress. Lots posts are about php such as

NGINX 'Access-Control-Allow-Origin' header contains multiple values

even though I am not using php but I have tried using the code above but does not work though.

is anyone able to give me a hand or direct me how this can be done on server?

Thanks in advance.

Answer 1

You can conditionally cause the Access-Control-Allow-Origin response header to be sent, with the right value, by adding something like the following to your nginx config.

location / {
  set $is_allowed_origin "";
  if ($http_origin = "https://some.allowed.origin") {
    set $is_allowed_origin "true";
  }
  if ($http_origin = "https://another.allowed.origin") {
    set $is_allowed_origin "true";
  }
  if ($is_allowed_origin = "true") {
    add_header "Access-Control-Allow-Origin" "$http_origin";
  }
}

That'll cause Access-Control-Allow-Origin: https://some.allowed.origin to be sent if the value of the Origin request header in the request is https://some.allowed.origin , and will cause Access-Control-Allow-Origin: https://another.allowed.origin to be sent if the Origin is https://another.allowed.origin , etc.

And if the value of the Origin request header is neither https://some.allowed.origin or https://another.allowed.origin , then no Access-Control-Allow-Origin would be sent.