I needed a PHP-only solution, so just in case someone needs it as well. It takes an allowed input string like “*.example.com” and returns the request header server name, if the input matches.<\/p>\n
function getCORSHeaderOrigin($allowed, $input)\n{\n if ($allowed == '*')\n return '*';\n\n $allowed = str_replace('.', '\\.', $allowed);\n\n if (($wildcardPos = strpos($allowed, '*')) !== false) {\n $allowed = str_replace('*', '(.*)', $allowed);\n }\n\n $regexp = '\/^' . $allowed . '$\/';\n\n if (!preg_match($regexp, $input, $matches))\n return 'none';\n\n return $input;\n}\n<\/code><\/pre>\nAnd here are the test cases for a phpunit data provider:<\/p>\n
\/\/ \narray('Allow Subdomain', 'www.example.com', 'www.example.com', 'www.example.com'),\narray('Disallow wrong Subdomain', 'www.example.com', 'ws.example.com', 'none'),\narray('Allow All', '*', 'ws.example.com', '*'),\narray('Allow Subdomain Wildcard', '*.example.com', 'ws.example.com', 'ws.example.com'),\narray('Disallow Wrong Subdomain no Wildcard', '*.example.com', 'example.com', 'none'),\narray('Allow Double Subdomain for Wildcard', '*.example.com', 'a.b.example.com', 'a.b.example.com'),\narray('Don\\'t fall for incorrect position', '*.example.com', 'a.example.com.evil.com', 'none'),\narray('Allow Subdomain in the middle', 'a.*.example.com', 'a.bc.example.com', 'a.bc.example.com'),\narray('Disallow wrong Subdomain', 'a.*.example.com', 'b.bc.example.com', 'none'),\narray('Correctly handle dots in allowed', 'example.com', 'exampleXcom', 'none'),\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"I needed a PHP-only solution, so just in case someone needs it as well. It takes an allowed input string like “*.example.com” and returns the request header server name, if the input matches. function getCORSHeaderOrigin($allowed, $input) { if ($allowed == ‘*’) return ‘*’; $allowed = str_replace(‘.’, ‘\\.’, $allowed); if (($wildcardPos = strpos($allowed, ‘*’)) !== false) […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-8045","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/8045","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/comments?post=8045"}],"version-history":[{"count":1,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/8045\/revisions"}],"predecessor-version":[{"id":8666,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/8045\/revisions\/8666"}],"wp:attachment":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/media?parent=8045"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/categories?post=8045"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/tags?post=8045"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}