No 'Access-Control-Allow-Origin' for 2 different domains or sub-domains CORS issue

Question

There are a lot o topics about 'Access-Control-Allow-Origin', but I couldn't find one for Openseadragon which is for sub-domain name. My website is exampple.domain.com trying to open DZI from anotherexampple.domain.com and I have an error:

XMLHttpRequest cannot load anotherexampple.domain.com/123.dzi . No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin ' exampple.domain.com ' is therefore not allowed access.

Both websites are using the same protocol HTTPS, and server is IIS

Server for exampple.domain.com is set up with:

Access-Control-Allow-Origin: *

And server for anotherexampple.domain.com is set up with:

Access-Control-Allow-Origin: *.domain.com

Also, openseadragon has settings:

crossOriginPolicy: 'Anonymous',
ajaxWithCredentials: false,

Can somebody tell me how to fix CORS issue for same domain with different sub-domains? Thanks in advance.

Answer 1

Access-Control-Allow-Origin: *.domain.com

The Access-Control-Allow-Origin header doesn't support partial wildcards.

Either use * or the full origin name.

You can read the Origin request header, pattern match it, and then echo it out on the server if you want to whitelist everything on a particular domain.

No 'Access-Control-Allow-Origin' header is present on the requested resource.

You might have tried to set the Access-Control-Allow-Origin header, but it clearly hasn't worked. You need to reexamine your configuration.

Answer 2

This link has a nice explanation for possible values for 'Access-Control-Allow-Origin'. unfortunately you do not have much options, other than '*' or single domain like ' http://example.com '

https://www.moesif.com/blog/technical/cors/Authoritative-Guide-to-CORS-Cross-Origin-Resource-Sharing-for-REST-APIs/