<cfscript>
// allow CORS requests from these domains only, leave off the subdomain
variables.lstInternalDomains = 'foo.de,bar.de';
</cfscript>
<cffunction name="setJSONHeaders" access="private" output="yes" returntype="void">
<cfargument name="lstInternalDomains" type="string" required="yes" />
<cfscript>
var local = {};
local.pc = getpagecontext().getresponse();
local.pc.getresponse().setcontenttype('application/json; charset=utf-8');
local.headers = getHttpRequestData().headers;
local.origin = '';
if (structKeyExists(local.headers,'Origin')) {
local.origin = local.headers['Origin'];
local.objUrl = createObject('java','java.net.URL').init(javaCast('string',local.origin));
local.strDomain = ReReplace(local.objUrl.getHost(),'^(?:.*\.)?([^.]*\..*)$','\1','ONE');
if (listFindNoCase(arguments.lstInternalDomains,local.strDomain)) {
local.pc.setHeader('Access-Control-Allow-Origin',local.origin);
local.pc.setHeader('Access-Control-Allow-Methods','GET, POST, HEAD, OPTIONS');
local.pc.setHeader('Access-Control-Allow-Headers','X-Requested-With, Origin, Content-Type, Accept');
} // end if (listFindNoCase(variables.lstInternalDomains,local.strDomain)
} // end if (structKeyExists(local.headers,'Origin')
return;
</cfscript>
</cffunction>
...
<cffunction name="myMethod" access="remote">
<cfscript>
if (structKeyExists(URL,'returnFormat') and (URL.returnFormat eq 'json')) {
setJSONHeaders(lstInternalDomains=variables.lstInternalDomains);
}
...
</cfscript>
</cffunction>