allow-origin

The allow-origin entry specifies which origins presented by clients are permitted to make cross-origin requests to resources which this policy is applicable to.

allow-origin = <origin>

Description

An origin which is permitted for this policy. This configuration entry may be specified multiple times to indicate multiple allowable origins. A value of '*' can be specified to indicate that requests are allowed from any origin. When configured with an origin or list of origins, this configuration entry adds the following header to pre-flight requests:

Access-Control-Allow-Origin = <any value which matches the request's origin header> 

When configured with '*', this configuration entry adds the following header to pre-flight requests:

Access-Control-Allow-Origin = <request's origin header> 

This entry affects both pre-flight and cross-origin requests. This entry is used when validating cross-origin requests.

Options

origin

This entry should either be '*' or a complete origin including a scheme, hostname and optionally any port information.

Usage: Required.

We can specify multiple entries if needed.

The origin matching performed is case sensitive.

If an '*' entry is specified, all other allow-origin entries for this policy is ignored.

Default value: None.

Example:

allow-origin = https://isva.ibm.com
allow-origin = https://isva.ibm.com:9443
or
allow-origin = *

Parent topic: [cors-policy:policy-name] stanza