W3cubDocs

/HTTP

Access-Control-Allow-Origin

The Access-Control-Allow-Origin response header indicates whether the response can be shared with resources with the given origin.

Header type Response header
Forbidden header name no

Syntax

Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: <origin>

Directives

*
For requests without credentials, the server may specify "*" as a wildcard, thereby allowing any origin to access the resource.
<origin>
Specifies a URI that may access the resource.

Examples

To allow any resource to access your resource, you can specify:

Access-Control-Allow-Origin: *

To allow https://developer.mozilla.org to access your resource, you can specify:

Access-Control-Allow-Origin: https://developer.mozilla.org

CORS and caching

If the server specifies an origin host rather than "*", then it must also include Origin in the Vary response header to indicate to clients that server responses will differ based on the value of the Origin request header.

Access-Control-Allow-Origin: https://developer.mozilla.org
Vary: Origin

Specifications

Specification Status Comment
Fetch
The definition of 'Access-Control-Allow-Origin' in that specification.
Living Standard Initial definition.

Browser compatibility

Feature Chrome Edge Firefox Internet Explorer Opera Safari Servo
Access-Control-Allow-Origin 4 12 3.5 10 12 4 ?
Feature Android Chrome for Android Edge Mobile Firefox for Android IE Mobile Opera Mobile Safari Mobile
Access-Control-Allow-Origin 2.1 (Yes) (Yes) 1.0 (Yes) 12 3.2

See also

© 2005–2017 Mozilla Developer Network and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin