I'm using Google Cloud Load Balancing service, and want to enable CORS for all subdomains. For example, I want to be able to run an XHR request from https://sub.mywebsite.example to https://www.mywebsite.example
Typically, I will do the below, but it does not work:
As mentioned by @ derpirscher you must either specify * as Allow-Origin header or the exact protocol://host:port.
In your use case the response to the CORS request is missing the required Access-Control-Allow-Origin header, which is used to determine whether or not the resource can be accessed by content operating within the current origin.
You can also configure a site to allow any site to access it by using the * wildcard. You should only use this for public APIs. Private APIs should never use *, and should instead have a specific domain or domains set. In addition, the wildcard only works for requests made with the crossorigin attribute set to anonymous, and it prevents sending credentials like cookies in requests.
Access-Control-Allow-Origin: *
Ensure that the request has an Origin header and that the header value matches at least one of the Origins values in the CORS configuration. Note that the scheme, host, and port of the values must match exactly. Some examples of acceptable matches are as follows:
http://origin.example.com matches http://origin.example.com:80 (because 80 is the default HTTP port), but does not match https://origin.example.com, http://origin.example.com:8080, http://origin.example.com:5151, or http://sub.origin.example.com.
https://example.com:443 matches https://example.com but not http://example.com or http://example.com:443.
http://localhost:8080 only matches exactly http://localhost:8080 , not http://localhost:5555 or http://localhost.example.com:8080 .
