Enable multiple domains in Access-Control-Allow-Origin

Hello, We have created a worker solely to allow CORS on some URLs within our domain. It works perfectly when * is declared as the value of Access-Control-Allow-Origin, but when I want to use a list of domains, I see the following error:

Access to XMLHttpRequest at ‘https://xxxxxx/awa/xxxxxx/create_token’ from origin ‘https://xxxx-api-xxxx.xxxx.xxxx’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: The ‘Access-Control-Allow-Origin’ header contains multiple values ‘https://xxxx-qa.xxxx.xxxx, https://api-xxxx.xxxx.xxxx, https://bot-api-qa.xxxx.xxxx’, but only one is allowed.

Is there any other way to allow CORS? We’ve tried using the zero trust tool but CORS doesn’t work. We see this error:

(redirected from ‘https://xxxxx.kiusys.net/xxxxx/pbservice/create_token’) from origin ‘https://xxxx-xxxx-qa.xxxx.xxxx’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

Any helps?

Because the Access-Control-Allow-Origin (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin only accepts a single domain or * (or null which you shouldn’t use.)

Here is a great video I used in the past when I struggled with the same question from @signalnerve

https://egghead.io/lessons/cloudflare-secure-an-api-with-access-control-allow-headers

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.