HTTP Cross Origin and Access Control Server: responding to a CORS request
Example
The response to a CORS request must include an Access-Control-Allow-Origin header, which dictates what origins are allowed to use the CORS resource. This header can take one of three values:
- An origin. Doing this permits requests from that origin only.
- The character
*. This permits requests from any origin. - The string
null. This permits no CORS requests.
For example, on reception of a CORS request from the origin http://example.com, if example.com is an authorized origin, the server would send back this response:
HTTP/1.1 200 OK
Access-Control-Allow-Origin: example.com
An any-origin response would also permit this request, i.e.:
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
