cross domain - How do I use Access-Control-Allow-Origin? Does it just go in between the html head tags?

Question

I've been reading about Access-Control-Allow-Origin because it seems effective at allowing cross domain requests since I have access to the external site. My question ism how do I use Access-Control-Allow-Origin to allow cross domain requests. I tried this (don't laugh) (by the way all I want is for a single number, 1 or 0 to be returned)

<html>
<head>
Access-Control-Allow-Origin: *
</head>
<body>
1
</body>
</html>

Am I close? Thanks for your help. If there is an easier way to do a simple cross-domain request let me know.

Answer 1

There are 3 ways to allow cross domain origin (excluding jsonp):

1. Set the header in the page directly using a templating language like PHP. Keep in mind there can be no HTML before your header or it will fail.

2. Modify the server configuration file (apache.conf) and add this line. Note that "*" represents allow all. Some systems might also need the credential set. In general allow all access is a security risk and should be avoided:

   Header set Access-Control-Allow-Origin "*" Header set Access-Control-Allow-Credentials true

3. To allow multiple domains on Apache web servers add the following to your config file

   SetEnvIf Origin "http(s)?://(www.)?(example.org|example.com)$" AccessControlAllowOrigin=$0$1 Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin Header set Access-Control-Allow-Credentials true

4. For development use only hack your browser and allow unlimited CORS using the Chrome Allow-Control-Allow-Origin extension

5. Disable CORS in Chrome: Quit Chrome completely. Open a terminal and execute the following. Just be cautious you are disabling web security:

   open -a Google Chrome --args --disable-web-security --user-data-dir