We're looking for a person or people to help audit MDN to find places we could speed up. Is this you or someone you know? Check out the RFP: https://mzl.la/2IHcMiE

The Access-Control-Allow-Origin response header indicates whether the response can be shared with resources with the given origin.

Header type Response header
Forbidden header name no


Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: <origin>


For requests without credentials, the server may specify "*" as a wildcard, thereby allowing any origin to access the resource.
Specifies a URI that may access the resource.


To allow any resource to access your resource, you can specify:

Access-Control-Allow-Origin: *

To allow https://developer.mozilla.org to access your resource, you can specify:

Access-Control-Allow-Origin: https://developer.mozilla.org

CORS and caching

If the server specifies an origin host rather than "*", then it must also include Origin in the Vary response header to indicate to clients that server responses will differ based on the value of the Origin request header.

Access-Control-Allow-Origin: https://developer.mozilla.org
Vary: Origin


Specification Status Comment
The definition of 'Access-Control-Allow-Origin' in that specification.
Living Standard Initial definition.

Browser compatibility

FeatureChromeEdgeFirefoxInternet ExplorerOperaSafari
Basic support4123.510124
FeatureAndroid webviewChrome for AndroidEdge mobileFirefox for AndroidOpera AndroidiOS SafariSamsung Internet
Basic support2.1 Yes Yes4123.2 ?

See also

Document Tags and Contributors

 Contributors to this page: Sheppy, zhongshangwu, fscholz, teoli
 Last updated by: Sheppy,