The Access-Control-Allow-Origin response header indicates whether the response can be shared with resources with the given origin.

Header type Response header
Forbidden header name no

Syntax

Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: <origin>

Directives

*
For requests without credentials, the server may specify "*" as a wildcard, thereby allowing any origin to access the resource.
<origin>
Specifies a URI that may access the resource.

Examples

To allow any resource to access your resource, you can specify:

Access-Control-Allow-Origin: *

To allow https://developer.mozilla.org to access your resource, you can specify:

Access-Control-Allow-Origin: https://developer.mozilla.org

CORS and caching

If the server specifies an origin host rather than "*", then it must also include Origin in the Vary response header to indicate to clients that server responses will differ based on the value of the Origin request header.

Access-Control-Allow-Origin: https://developer.mozilla.org
Vary: Origin

Handling CORS on the server (Java example)

This is how one can create a simple CORS filter to allow every type of CORS using Java on the server:

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;


@component
public class SimpleCORSFilter implements Filter {

private final Logger log = LoggerFactory.getLogger(SimpleCORSFilter.class);

public SimpleCORSFilter() {
    log.info("SimpleCORSFilter init");
}

@override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {    
    
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    response.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"));
    response.setHeader("Access-Control-Allow-Credentials", "true");
    response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
    response.setHeader("Access-Control-Max-Age", "3600");
    response.setHeader("Access-Control-Allow-Headers", "Content-Type, Accept, X-Requested-With, remember-me");
    chain.doFilter(req, res);
}


@Override
public void init(FilterConfig filterConfig) {
}

@Override
public void destroy() {
}

}

Specifications

Specification Status Comment
Fetch
The definition of 'Access-Control-Allow-Origin' in that specification.
Living Standard Initial definition.

Browser compatibility

FeatureChromeEdgeFirefoxInternet ExplorerOperaSafari
Basic support4123.510124
FeatureAndroid webviewChrome for AndroidEdge mobileFirefox for AndroidOpera AndroidiOS SafariSamsung Internet
Basic support2.1 Yes Yes4123.2 Yes

See also