How to allow origin header for multiple sites?

Actually, I’m not familiar with .yaml extension.
I tried to add the config as below

cors:
allowedOrigins: - https://domainone.com
                - https://domaintwo.com

But it’s showing the error like this

The 'Access-Control-Allow-Origin' header contains the invalid value 'Array'.

1 Like

That will not work, you can specify in the configuration only one entry. If you check the index.php:

    $_cors = $cockpit->retrieve('config/cors', []);

    header('Access-Control-Allow-Origin: '      .($_cors['allowedOrigins'] ?? '*'));

so unless @artur accept a change for that (and not sure if that make sense), you may need to deal with it in the webserver, check for a solution here: https://stackoverflow.com/a/11077890

please consider using config.php instead of config.yaml:

<?php

return [

  'cors' => [

    'allowedOrigins' => in_array($_SERVER['HTTP_ORIGIN'], ['https://domainone.com', 'https://domaintwo.com']) 
                        ? $_SERVER['HTTP_ORIGIN'] : 'https://domainone.com'
  ]

];

if you use the php based configuration, then you’re more flexible (eg using env variables for dynamic config)

1 Like

Thanks @pauloamgomes and @artur I comment off the Access-Control-Allow-Origin and Access-Control-Allow-Methods lines in index.php and add in .htaccess as below.

<IfModule mod_headers.c>
    SetEnvIf Origin "http(s)?://(domainone.com|domaintwo.com$" AccessControlAllowOrigin=$0
    Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    Header always set Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"
</IfModule>

It’s working now. Thanks