Access-Control-Allow-Origin with multiple origin domains (CORS)

Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. [According to developer.mozilla.org]

In your Episerver-site, you can add a single domain to your web.config file like this.

          <add name="Access-Control-Allow-Origin" value="https://www.domain.com" />

You can allow all origins by replacing the domain with *, but it's not possible to add a list of domains in web.config.

To allow more than one domain, check the Origin-header against a list of allowed domains, and return only that domain. Example:

public JsonResult Index(string id)
   var origin = Request.Headers["Origin"];
   if (origin == "https://www.domain1.com" || origin == "https://www.domain2.com")
      Response.AddHeader("Access-Control-Allow-Origin", origin);


That's it!