No 'Access-Control-Allow-Origin' for 2 different domains or sub-domains CORS issue

Question

There are a lot o topics about 'Access-Control-Allow-Origin', but I couldn't find one for Openseadragon which is for sub-domain name. My website is exampple.domain.com trying to open DZI from anotherexampple.domain.com and I have an error:

XMLHttpRequest cannot load anotherexampple.domain.com/123.dzi. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'exampple.domain.com' is therefore not allowed access.

Both websites are using the same protocol HTTPS, and server is IIS

Server for exampple.domain.com is set up with:

Access-Control-Allow-Origin: *

And server for anotherexampple.domain.com is set up with:

Access-Control-Allow-Origin: *.domain.com

Also, openseadragon has settings:

crossOriginPolicy: 'Anonymous',
ajaxWithCredentials: false,

Can somebody tell me how to fix CORS issue for same domain with different sub-domains? Thanks in advance.

Answer 1

Access-Control-Allow-Origin: *.domain.com

The Access-Control-Allow-Origin header doesn't support partial wildcards.

Either use * or the full origin name.

You can read the Origin request header, pattern match it, and then echo it out on the server if you want to whitelist everything on a particular domain.

No 'Access-Control-Allow-Origin' header is present on the requested resource.

You might have tried to set the Access-Control-Allow-Origin header, but it clearly hasn't worked. You need to reexamine your configuration.

Answer 2

This link has a nice explanation for possible values for 'Access-Control-Allow-Origin'. unfortunately you do not have much options, other than '*' or single domain like 'http://example.com'

https://www.moesif.com/blog/technical/cors/Authoritative-Guide-to-CORS-Cross-Origin-Resource-Sharing-for-REST-APIs/