Category Archives: accesscontrolalloworigin

htaccess Access-Control-Allow-Origin not working with multiple domains. Why?

I have a Magento 2 installation with 4 stores that I am setting up. Each store is a totally different domain that needs to get resources from the main installations domain. As an example below, I have used sub-domains.

http://store.com       = Magento Installation and Control Panel
http://a.store.com     = Store 1
http://b.store.com     = Store 2
http://c.store.com     = Store 3
http://d.store.com     = Store 4

I have the following in .htaccess which another post here advised to do similar.

<IfModule mod_headers.c>
  SetEnvIf Origin "http(s)?://(www\.)?(.*\.)?store\.com$" AccessControlAllowOrigin=$0$1
  Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
  Header set Access-Control-Allow-Credentials true
</IfModule>

Now when I load store http://a.store.com, it works fine. Then I load http://b.store.com straight after and the site fails with:

"Access to Font at 'http://store.com' from origin 'http://b.store.com' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'http://a.store.com' that is not equal to the supplied origin. Origin 'http://b.store.com' is therefore not allowed access."

Conclusion

The Header Access-Control-Allow-Origin is not updating on each request.

I also tried "add" instead of "set" for the header but that did not work either.

My Question

How do I force the Header to update on each request?

Access Control Allow Origin Header Issue

I'm having an issue with setting CORS header to the configuration file, httpd.conf.

I've followed the instructions from documentations and stack overflow help.

Here's what I've done so far:

1) Checking header modules (making sure it's uncommented)

LoadModule headers_module modules/mod_headers.so

2) Set CORS Header for Origin Allow in httpd.conf

<Directory "C:/xampp/htdocs/projects">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
#   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important.  Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks Includes ExecCGI

#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
#   AllowOverride FileInfo AuthConfig Limit
#
AllowOverride All

#
# Controls who can get stuff from this server.
#
Require all granted

#
# Allowing CORS Header Access Control Allow Origin
#
Header set Access-Control-Allow-Origin "*" --- **Added This line here**
</Directory>

3) Restarted Windows Apache using GUI

I keep getting this error:

No 'Access-Control-Allow-Origin' header is present on the requested resource.

It seems that the suggestions above from Googling-fu are not working at all. Much appreciated for help in advance!

EDIT: Fixed formatting