Revision 1132319 of Access-Control-Allow-Origin

Revision slug: Web/HTTP/Headers/Access-Control-Allow-Origin
Revision title: Access-Control-Allow-Origin
Revision id: 1132319
Created: Oct 20, 2016, 1:37:57 AM
Creator: teoli
Is current revision? Yes
Comment

Tags:

Revision Content

The Access-Control-Allow-Origin response header indicates whether the response can be shared with resources with the given {{glossary("origin")}}.

Header type	{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}	no

Syntax

Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: <origin>

Directives

*: For requests without credentials, the server may specify "*" as a wildcard, thereby allowing any origin to access the resource.
<origin>: Specifies a URI that may access the resource.

Examples

To allow any resource to access your resource, you can specify:

Access-Control-Allow-Origin: *

To allow https://developer.mozilla.org to access your resource, you can specify:

Access-Control-Allow-Origin: https://developer.mozilla.org

CORS and caching

If the server specifies an origin host rather than "*", then it must also include Origin in the {{HTTPHeader("Vary")}} response header to indicate to clients that server responses will differ based on the value of the Origin request header.

Access-Control-Allow-Origin: https://developer.mozilla.org
Vary: Origin

Specifications

Specification	Status	Comment
{{SpecName('Fetch','#http-access-control-allow-origin', 'Access-Control-Allow-Origin')}}	{{Spec2("Fetch")}}	Initial definition.

Browser compatibility

Revision Source

<div>{{HTTPSidebar}}</div>

<p>The <code><strong>Access-Control-Allow-Origin</strong></code> response header indicates whether the response can be shared with resources with the given {{glossary("origin")}}.</p>

<table class="properties">
 <tbody>
  <tr>
   <th scope="row">Header type</th>
   <td>{{Glossary("Response header")}}</td>
  </tr>
  <tr>
   <th scope="row">{{Glossary("Forbidden header name")}}</th>
   <td>no</td>
  </tr>
 </tbody>
</table>

<h2 id="Syntax">Syntax</h2>

<pre class="syntaxbox">
Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: &lt;origin&gt;
</pre>

<h2 id="Directives">Directives</h2>

<dl>
 <dt>*</dt>
 <dd>For requests without credentials, the server may specify "*" as a wildcard, thereby allowing any origin to access the resource.</dd>
 <dt>&lt;origin&gt;</dt>
 <dd>Specifies a URI that may access the resource.</dd>
</dl>

<h2 id="Examples">Examples</h2>

<p>To allow any resource to access your resource, you can specify:</p>

<pre>
Access-Control-Allow-Origin: *</pre>

<p>To allow <code>https://developer.mozilla.org</code> to access your resource, you can specify:</p>

<pre>
Access-Control-Allow-Origin: https://developer.mozilla.org</pre>

<h3 id="CORS_and_caching">CORS and caching</h3>

<p>If the server specifies an origin host rather than "<code>*</code>", then it must also include <code>Origin</code> in the {{HTTPHeader("Vary")}} response header to indicate to clients that server responses will differ based on the value of the <code>Origin</code> request header.</p>

<pre>
Access-Control-Allow-Origin: https://developer.mozilla.org
Vary: Origin</pre>

<h2 id="Specifications">Specifications</h2>

<table class="standard-table">
 <tbody>
  <tr>
   <th scope="col">Specification</th>
   <th scope="col">Status</th>
   <th scope="col">Comment</th>
  </tr>
  <tr>
   <td>{{SpecName('Fetch','#http-access-control-allow-origin', 'Access-Control-Allow-Origin')}}</td>
   <td>{{Spec2("Fetch")}}</td>
   <td>Initial definition.</td>
  </tr>
 </tbody>
</table>

<h2 id="Browser_compatibility">Browser compatibility</h2>

<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p>

<p>{{Compat}}</p>

<h2 id="See_also">See also</h2>

<ul>
 <li>{{HTTPHeader("Origin")}}</li>
 <li>{{HTTPHeader("Vary")}}</li>
</ul>

Revert to this revision