How to allow origin header for multiple sites?

Actually, I’m not familiar with .yaml extension.
I tried to add the config as below

allowedOrigins: -

But it’s showing the error like this

The 'Access-Control-Allow-Origin' header contains the invalid value 'Array'.

1 Like

That will not work, you can specify in the configuration only one entry. If you check the index.php:

    $_cors = $cockpit->retrieve('config/cors', []);

    header('Access-Control-Allow-Origin: '      .($_cors['allowedOrigins'] ?? '*'));

so unless @artur accept a change for that (and not sure if that make sense), you may need to deal with it in the webserver, check for a solution here:

please consider using config.php instead of config.yaml:


return [

  'cors' => [

    'allowedOrigins' => in_array($_SERVER['HTTP_ORIGIN'], ['', '']) 
                        ? $_SERVER['HTTP_ORIGIN'] : ''


if you use the php based configuration, then you’re more flexible (eg using env variables for dynamic config)

1 Like

Thanks @pauloamgomes and @artur I comment off the Access-Control-Allow-Origin and Access-Control-Allow-Methods lines in index.php and add in .htaccess as below.

<IfModule mod_headers.c>
    SetEnvIf Origin "http(s)?://(|$" AccessControlAllowOrigin=$0
    Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    Header always set Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"

It’s working now. Thanks


I am running into this same issue. I am using cockpit within docker, my issue is I am getting CORS errors on imagery I link to in the cockpit stored assets.

I get the error in Chrome browser: Access to image at '' from origin '' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I noticed in cockpit in index.php:30 (if (COCKPIT_API_REQUEST)) the CORS settings are only applying to API requests.

Is there any way to set multiple origins for file assets?

Thank you.