Content Services Team (Production)

Handshake Pilot (Prod)

$opt_dummy_attribute

Anonymous Users

Non-India Users

Pro Lite GTM (Production)

Non-Trial Users

Admin Users

Optimizely Test Users

Non-Student Users

Billing Update Modal (Production)

Mobile Wallet Internal Testers

Free Users

Optimizely-Generated Audience for Backwards Compatibility

anonymous

trial

admin

optimizely_test_user

student

free

A full-stack engineer can get a project done from start to finish, back-end to front-end.

Full-Stack Engineer

Learn how to use JavaScript — a powerful and flexible programming language for adding website interactivity.

Learn JavaScript

Determines which requests from other pieces of web content have access to the current resource.


**`Access-Control-Allow-Origin`** in a CORS response header that tells which requests from other pieces of web content (and their `origin`s) have access to the current resource and, thus, can be loaded by the browser.

## Syntax

```pseudo
Access-Control-Allow-Origin: directive
```

The `directive` is set to either of the following:

| Directive | Description                                                                                                                                                                           |
| :-------: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|    `*`    | This is a wildcard that tells browsers to allow requests from any content `origin` to access the resource.                                                                            |
| `origin`  | A single, specific `origin` of content made of a scheme/protocol, hostname, and port (e.g., a [URL](https://www.codecademy.com/resources/docs/general/url)).                          |
|  `null`   | Sets the `origin` to `null` (however, this should be [avoided](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null) in most cases). |

## Example

The following is an example of a response header that is set to accept requests from the `origin`, "https://www.codecademy.com/learn":

```shell
Access-Control-Allow-Origin: https://www.codecademy.com/learn
```


Access-Control-Allow-Origin

General Terms

Back to General

General

Directive	Description
`*`	This is a wildcard that tells browsers to allow requests from any content `origin` to access the resource.
`origin`	A single, specific `origin` of content made of a scheme/protocol, hostname, and port (e.g., a URL).
`null`	Sets the `origin` to `null` (however, this should be avoided in most cases).

Access-Control-Allow-Origin

Syntax

Example

All contributors

Learn More on Codecademy

Full-Stack Engineer

Learn JavaScript

Resources

Support

Resources

Support

Plans

Community

Subjects

Languages

Career building

Mobile

Mobile