I want to configure apache for cross-domain access header. I have tried multiple combination as suggested on number of threads on the forum. But its not working for me.

The ways, I have tried:

1) Specify domain on different line as below with Header set :

Header set Access-Control-Allow-Origin "example1.com"
Header set Access-Control-Allow-Origin "example2.com"
Header set Access-Control-Allow-Origin: "example3.com"

With this setup its picking only last one and ignore rest of all.

2) Specify domain on different line as below with Header add :

Header add Access-Control-Allow-Origin "example1.com"
Header add Access-Control-Allow-Origin "example2.com"
Header add Access-Control-Allow-Origin: "example3.com"

With this its showing all three domains in header, but fonts are not getting picked up on Firefox.

3.) Tried Using SetEnvIf, but again its not working :

SetEnvIf Origin "http(s)?://(www\.)?(mydomain.com|mydomain2.com)$" AccessControlAllowOrigin=$0$1
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin

Finally working with "*", but I don't want to use this.

Please help with this.

For 3 domains, in your .htaccess:

<IfModule mod_headers.c>
    SetEnvIf Origin "http(s)?://(www\.)?(domain1.org|domain2.com|domain3.net)$" AccessControlAllowOrigin=$0$1
    Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    Header set Access-Control-Allow-Credentials true
</IfModule>

I've tried this and it works for me. Let me know if it doesn't for you.

Unless I'm misunderstanding the manual, it should be:

Header always append Access-Control-Allow-Origin: "example1.com"
Header always append Access-Control-Allow-Origin: "example2.com"
Header always append Access-Control-Allow-Origin: "example3.com"

The manual states that the set and add actions behave in the following way:

set: "The response header is set, replacing any previous header with this name"

add: "...This can result in two (or more) headers having the same name. This can lead to unforeseen consequences..."

To restrict access to certain URIs checkout these docs:

CrossOriginRequestSecurity

Server-Side Access Control#Apache_examples

One helpful trick is to use an Apache rewrite, environment variable, and headers to apply Access-Control-Allow-* to certain URIs. This is useful, for example, to constrain cross-origin requests to GET /api(.*).json requests without credentials:

RewriteRule ^/api(.*)\.json$ /api$1.json [CORS=True]
Header set Access-Control-Allow-Origin "*" env=CORS
Header set Access-Control-Allow-Methods "GET" env=CORS
Header set Access-Control-Allow-Credentials "false" env=CORS

Also, in general, according to W3 Wiki - CORS Enabled#For_Apache To expose the header, you can add the following line inside Directory, Location, and Files sections, or within an .htaccess file.

<IfModule mod_headers.c>
  Header set Access-Control-Allow-Origin "*"
</IfModule>

AND, you can use add rather than set, but be aware that add can add the header multiple times, so it's generally safer to use set.

Try this one, it works for me. Apply in .htaccess:

SetEnvIf Origin "^http(s)?://(.+\.)?(domain\.org|domain2\.com)$" origin_is=$0 
Header always set Access-Control-Allow-Origin %{origin_is}e env=origin_is

Will be work 100%, Apply in .htaccess:

# Enable cross domain access control
SetEnvIf Origin "^http(s)?://(.+\.)?(domain1\.com|domain2\.org|domain3\.net)$" REQUEST_ORIGIN=$0
Header always set Access-Control-Allow-Origin %{REQUEST_ORIGIN}e env=REQUEST_ORIGIN
Header always set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Header always set Access-Control-Allow-Headers "x-test-header, Origin, X-Requested-With, Content-Type, Accept"

# Force to request 200 for options
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule .* / [R=200,L]

This works for me in Classic ASP:

If Request.ServerVariables("HTTP_ORIGIN") = "http://domain1.com" Then
  Response.AddHeader "Access-Control-Allow-Origin","http://domain1.com"
ElseIf Request.ServerVariables("HTTP_ORIGIN") = "http://domain2.com" Then
  Response.AddHeader "Access-Control-Allow-Origin","http://domain2.com"
'and so on
End If