Simple CORS using .htaccess file.

Submitted by clemens on Sun, 2015/03/01 - 3:31pm

Cross-Origin Resource Sharing (CORS) allows web browser to validate and web server to provide a way to consume and provide cross-site content and access controls.

To make Drupal 8 respond to remote calls you should wait for the core issue https://www.drupal.org/node/1869548 which is postponed until Drupal 8.1.x or wait for the D8 version of https://www.drupal.org/project/cors

The alternative is using .htaccess and open up your Drupal install for the whole world use the settings below.

Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, PATCH, DELETE"
Header always set Access-Control-Allow-Headers: Authorization

Make sure you reduce origin to a list of IPs or domains and the methods to e.g. only GET

For more info see https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

planet

clemens's blog