CORS

Here are extremely permissive set of CORS HTTP headers,
in a .htaccess/APACHE compatible format.

If you’re using an old GoDaddy.com hosting you’ll need that first:

Header unset   Access-Control-Allow-Methods
Header unset   Access-Control-Allow-Origin
Header unset   Access-Control-Allow-Headers
Header unset   Access-Control-Expose-Headers
Header unset   Access-Control-Allow-Credentials
Header unset   Timing-Allow-Origin
Header unset   X-Permitted-Cross-Domain-Policies

This is what you’re looking for:

Header   set   Access-Control-Allow-Methods        "CONNECT,DELETE,GET,HEAD,OPTIONS,PATCH,PING,POST,PUT,TRACE"
Header   set   Access-Control-Allow-Origin         "*"
Header   set   Access-Control-Allow-Headers        "Accept,Accept-Charset,Accept-Encoding,Accept-Language,Access-Control-Allow-Credentials,Access-Control-Allow-Headers,Access-Control-Allow-Methods,Access-Control-Allow-Origin,Access-Control-Expose-Headers,Access-Control-Max-Age,Access-Control-Request-Headers,Access-Control-Request-Method,Alt-Svc,Cache-Control,Connection,Content-Description,Content-Encoding,Content-Language,Content-Length,Content-Security-Policy,Content-Transfer-Encoding,Content-Type,Cookie,Date,DNT,Downlink,DPR,Expires,Host,If-Modified-Since,Keep-Alive,Last-Event-ID,Last-Modified,Origin,P3P,Pragma,Referer,Referrer-Policy,Remote-Address,Save-Data,Server,Set-Cookie,Strict-Transport-Security,Timing-Allow-Origin,Transfer-Encoding,Upgrade-Insecure-Requests,User-Agent,Vary,Viewport-Width,Width,X-Backend-Server,X-Cache-Info,X-Content-Type-Options,X-CustomHeader,X-Forwarded-For,X-Forwarded-Host,X-Forwarded-Port,X-Forwarded-Proto,X-Forwarded-Server,X-Frame-Options,X-HTTP-Method-Override,X-Kuma-Revision,X-Modified,X-OTHER,X-Permitted-Cross-Domain-Policies,X-PING,X-PINGOTHER,X-Powered-By,X-Real-IP,X-Requested-With,X-XSS-Protection"
Header   set   Access-Control-Expose-Headers       "Accept,Accept-Charset,Accept-Encoding,Accept-Language,Access-Control-Allow-Credentials,Access-Control-Allow-Headers,Access-Control-Allow-Methods,Access-Control-Allow-Origin,Access-Control-Expose-Headers,Access-Control-Max-Age,Access-Control-Request-Headers,Access-Control-Request-Method,Alt-Svc,Cache-Control,Connection,Content-Description,Content-Encoding,Content-Language,Content-Length,Content-Security-Policy,Content-Transfer-Encoding,Content-Type,Cookie,Date,DNT,Downlink,DPR,Expires,Host,If-Modified-Since,Keep-Alive,Last-Event-ID,Last-Modified,Origin,P3P,Pragma,Referer,Referrer-Policy,Remote-Address,Save-Data,Server,Set-Cookie,Strict-Transport-Security,Timing-Allow-Origin,Transfer-Encoding,Upgrade-Insecure-Requests,User-Agent,Vary,Viewport-Width,Width,X-Backend-Server,X-Cache-Info,X-Content-Type-Options,X-CustomHeader,X-Forwarded-For,X-Forwarded-Host,X-Forwarded-Port,X-Forwarded-Proto,X-Forwarded-Server,X-Frame-Options,X-HTTP-Method-Override,X-Kuma-Revision,X-Modified,X-OTHER,X-Permitted-Cross-Domain-Policies,X-PING,X-PINGOTHER,X-Powered-By,X-Real-IP,X-Requested-With,X-XSS-Protection"
Header   set   Access-Control-Allow-Credentials    "true"
Header   set   Timing-Allow-Origin                 "*"
Header   set   X-Permitted-Cross-Domain-Policies   "all"

Note that both Access-Control-Allow-Headers and Access-Control-Expose-Headers lack the options of having * as a value, to this reason their value is quite a long string of the most common used HTTP header-names (collected by me…).
Some hosting/servers might have issues with such a long header-value,
you can try to split the value in half, using two headers
in some cases you’ll need to shorten things up,
in case the length of the HTTP header-value is too long for your server.

You could try splitting the value into two calls using add:

Header   add   Access-Control-Allow-Headers        "Accept,Accept-Charset,Accept-Encoding,Accept-Language,Access-Control-Allow-Credentials,Access-Control-Allow-Headers,Access-Control-Allow-Methods,Access-Control-Allow-Origin,Access-Control-Expose-Headers,Access-Control-Max-Age,Access-Control-Request-Headers,Access-Control-Request-Method,Alt-Svc,Cache-Control,Connection,Content-Description,Content-Encoding,Content-Language,Content-Length,Content-Security-Policy,Content-Transfer-Encoding,Content-Type,Cookie,Date,DNT,Downlink,DPR,Expires,Host,If-Modified-Since"
Header   add   Access-Control-Allow-Headers        "Keep-Alive,Last-Event-ID,Last-Modified,Origin,P3P,Pragma,Referer,Referrer-Policy,Remote-Address,Save-Data,Server,Set-Cookie,Strict-Transport-Security,Timing-Allow-Origin,Transfer-Encoding,Upgrade-Insecure-Requests,User-Agent,Vary,Viewport-Width,Width,X-Backend-Server,X-Cache-Info,X-Content-Type-Options,X-CustomHeader,X-Forwarded-For,X-Forwarded-Host,X-Forwarded-Port,X-Forwarded-Proto,X-Forwarded-Server,X-Frame-Options,X-HTTP-Method-Override,X-Kuma-Revision,X-Modified,X-OTHER,X-Permitted-Cross-Domain-Policies,X-PING,X-PINGOTHER,X-Powered-By,X-Real-IP,X-Requested-With,X-XSS-Protection"

Header   add   Access-Control-Expose-Headers       "Accept,Accept-Charset,Accept-Encoding,Accept-Language,Access-Control-Allow-Credentials,Access-Control-Allow-Headers,Access-Control-Allow-Methods,Access-Control-Allow-Origin,Access-Control-Expose-Headers,Access-Control-Max-Age,Access-Control-Request-Headers,Access-Control-Request-Method,Alt-Svc,Cache-Control,Connection,Content-Description,Content-Encoding,Content-Language,Content-Length,Content-Security-Policy,Content-Transfer-Encoding,Content-Type,Cookie,Date,DNT,Downlink,DPR,Expires,Host,If-Modified-Since"
Header   add   Access-Control-Expose-Headers       "Keep-Alive,Last-Event-ID,Last-Modified,Origin,P3P,Pragma,Referer,Referrer-Policy,Remote-Address,Save-Data,Server,Set-Cookie,Strict-Transport-Security,Timing-Allow-Origin,Transfer-Encoding,Upgrade-Insecure-Requests,User-Agent,Vary,Viewport-Width,Width,X-Backend-Server,X-Cache-Info,X-Content-Type-Options,X-CustomHeader,X-Forwarded-For,X-Forwarded-Host,X-Forwarded-Port,X-Forwarded-Proto,X-Forwarded-Server,X-Frame-Options,X-HTTP-Method-Override,X-Kuma-Revision,X-Modified,X-OTHER,X-Permitted-Cross-Domain-Policies,X-PING,X-PINGOTHER,X-Powered-By,X-Real-IP,X-Requested-With,X-XSS-Protection"

And you can also simply remove some…


In additional to the permissive CORS HTTP Headers,
which will suite HTML5 and newer web-programming-
– you can add permissive CrossDomain.xml and ClientAccessPolicy.xml,
which will add support for Adobe (Macromedia) Flash, Flex and .NET’s Silverlight to your website.

And thanks to using X-Permitted-Cross-Domain-Policies set to all you will be able to place those two xml file in any sub-path you’ll like (normally they are limited root/sub-domain’s root).