The Access-Control-Allow-Origin response header indicates whether the response can be shared with resources with the given origin.
| Header type | Response header |
|---|---|
| Forbidden header name | no |
Access-Control-Allow-Origin: * Access-Control-Allow-Origin: <origin>
*<origin>To allow any resource to access your resource, you can specify:
Access-Control-Allow-Origin: *
To allow https://developer.mozilla.org to access your resource, you can specify:
Access-Control-Allow-Origin: https://developer.mozilla.org
If the server specifies an origin host rather than "*", then it must also include Origin in the Vary response header to indicate to clients that server responses will differ based on the value of the Origin request header.
Access-Control-Allow-Origin: https://developer.mozilla.org Vary: Origin
| Specification | Status | Comment |
|---|---|---|
| Fetch The definition of 'Access-Control-Allow-Origin' in that specification. | Living Standard | Initial definition. |
| Feature | Chrome | Edge | Firefox | Internet Explorer | Opera | Safari |
|---|---|---|---|---|---|---|
| Basic support | 4 | 12 | 3.5 | 10 | 12 | 4 |
| Feature | Android webview | Chrome for Android | Edge mobile | Firefox for Android | Opera Android | iOS Safari | Samsung Internet |
|---|---|---|---|---|---|---|---|
| Basic support | 2.1 | Yes | Yes | 4 | 12 | 3.2 | ? |
© 2005–2018 Mozilla Developer Network and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin