Using a regular expression with CORS

Question

I am trying to use a regular expression with cors. I have read many times that this is not possible that cors is all (*) or exact domains. Access-Control-Allow-Origin wildcard subdomains, ports and protocols . However this seems to contradict :http://www.cameronstokes.com/2010/12/26/cross-origin-resource-sharing-and-apache-httpd/. Could somebody clarify and if using a regular expression is possible provide a simple example as I have tried to implement the link above but with no success.

The regular expression is wish to use is

    ^http\://\blocal-.*\b\.testing-test:10005$

I have checked my regex and it matches the generated URLs. I have added SetEnvIF and Header set lines as suggested to my apache2.conf (is this correct?) as follows

    SetEnvIf Origin "^http\://\blocal-.*\b\.mycompany-it:10005$" 

    AccessControlAllowOrigin=$0 Header add Access-Control-Allow-Origin %

    {AccessControlAllowOrigin}e env=AccessControlAllowOrigin

I am lost as to what to do next.It doesn't work Thanks in advance

Answer 1

Access-Control-Allow-Origin Headers can only be a wildcard '*' or an exact url. One way to do this is to first get the value of the Origin header from the request (this varies from server to server, but one sample might look like: request.headers['Origin']).

Then do a regex check with the value of the request Origin. If the request's origin passes the check with the allowed regex expression, then you can simply set the value of Access-Control-Allow-Origin to the value of the request's Origin (sample: response.headers['Access-Control-Allow-Origin'] = request.headers['Origin']). In this way, you aren't violating the rule of the access control being a strict url, but also allowing the server to accept multiple different allowed origins.