I have 3 websites, A, B and C.
Site A has a "test.js" javascript file that I'm calling on sites B and C. The test.js file uses an XMLHttpRequest to grab the contents of a separate "stuff.html" file on Site A to return to a div on the calling website.
In order to allow for CORS on just the B and C sites, based on this answer on StackOverflow and several others, I placed the following .htaccess in the A site directory:
<IfModule mod_headers.c>
SetEnvIf Origin "http(s)?://(www\.)?(b.com|c.com)$" AccessControlAllowOrigin=$0
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header append Vary Origin
</IfModule>
When I try to load site B, it seems to work. But when I try to load site C in the same browser, I get the following error:
XMLHttpRequest cannot load http://www.a.com/stuff.html. The 'Access-Control-Allow-Origin' header has a value 'http://www.b.com' that is not equal to the supplied origin. Origin 'http://www.c.com' is therefore not allowed access.
That said, if I clear the cache and then load site C, it works. But then loading site B doesn't work, and gives the same error (in reverse).
Is there a way to get this so that it allows both sites to load it properly? Not sure what I might be missing here.
Edit:
After a bit of testing, I did find that using a wildcard resolves the problem:
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin *
</IfModule>
...though I'm not sure about the security on that, since it's open to everyone. Assuming that stuff.html is just a static html file with anchor links, and the only thing that test.js does is to return that file's content to the client's page, is there anything to be worried about? Not sure if that could be exploited for anything malicious.
