Access-Control-Allow-Origin Header
Table of Content
The Access-Control-Allow-Origin header is part of the Cross-Origin Resource Sharing (CORS) specification, which enables secure cross-site request functionality across the web. Its main purpose is to indicate which origins are allowed to read the resource on a web page.
Syntax
The syntax for the Access-Control-Allow-Origin header is as follows:
Access-Control-Allow-Origin: *Or
Access-Control-Allow-Origin: <origin>Where <origin> is a single origin that may access the resource. The * wildcard allows all origins.
Directives
There are two primary directives for Access-Control-Allow-Origin:
<origin>: Specifies an origin. Only a single origin can be specified.*: Any origin may access the resource. This might be used withAccess-Control-Allow-Credentials, otherwise, the*literal is used in the header.
Examples
The following are some examples of how to use Access-Control-Allow-Origin header:
- Allowing any site to access your resource.
Access-Control-Allow-Origin: *- Allowing a specific website to access your resource.
Access-Control-Allow-Origin: http://specific.website.comBrowser Compatibility
| Browser | Compatibility |
|---|---|
| Chrome | Supported |
| Firefox | Supported |
| Safari | Supported |
| Opera | Supported |
| Edge | Supported |
How to modify Access-Control-Allow-Origin header
ModHeader is an extension available for Chrome that allows you to modify and customize HTTP request headers. It can be particularly useful for testing CORS by setting Access-Control-Allow-Origin header.
Install ModHeader from the Chrome Web Store.
After installing, click on the ModHeader icon in the toolbar, and you will see input fields for 'Request Headers'.
Enter
Access-Control-Allow-Originin the 'Name' field and either*or a specific origin URL, likehttp://specific.website.com, in the 'Value' field.Now, whenever Chrome makes a request to a server, it will include this header with the specified value.