方法一:Access-Control-Allow-Origin-Header 支持通配符 * 允许所有域名
缺点:访问权限过大,安全性大大降低
$config['Access-Control-Allow-Origin-Header'] = 'Access-Control-Allow-Origin: *';
$config['Access-Control-Allow-Credentials-Header'] = 'Access-Control-Allow-Credentials: true';
方法二:$_SERVER['HTTP_ORIGIN'] 获取访问源,简单判断处理,实现指定多域名访问,安全性提高了
$origin = isset($_SERVER['HTTP_ORIGIN'])? $_SERVER['HTTP_ORIGIN'] : '';
$allow_origin = array(
'http://xxxxxx.org',
'http://xxxxxx.org'
);
if(in_array($origin, $allow_origin)){
$config['Access-Control-Allow-Origin-Header'] = 'Access-Control-Allow-Origin:'.$origin;
$config['Access-Control-Allow-Credentials-Header'] = 'Access-Control-Allow-Credentials: false';
}
网友评论