Tags:

Access-Control-Allow-Origin with multiple origin domains (CORS)

Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. [According to developer.mozilla.org]

In your Episerver-site, you can add a single domain to your web.config file like this.

<configuration>
   <system.webserver>
     <httpprotocol>
       <customheaders>
          <add name="Access-Control-Allow-Origin" value="https://www.domain.com" />
       </customheaders>
     </httpprotocol>
   </system.webserver>
</configuration>

You can allow all origins by replacing the domain with *, but it's not possible to add a list of domains in web.config.

To allow more than one domain, check the Origin-header against a list of allowed domains, and return only that domain. Example:

[HttpGet]
public JsonResult Index(string id)
{
   var origin = Request.Headers["Origin"];
   if (origin == "https://www.domain1.com" || origin == "https://www.domain2.com")
   {
      Response.AddHeader("Access-Control-Allow-Origin", origin);
   }

   ...
}

That's it!