Assume that, there is an application with url domain as https://srcdomain.com. and that, there is another application url domain as https://destdomain.com.
If the other application has to be integrated with source application, and to allow accessing destdomain app from srcdomainapp (inside a frame), in which application does the cors header has to be added ? Below configuration to be added in httpd.conf file of srcdomain application or destdomain applicatio?
SetEnvIf Origin "https://(srcdomain|destdomain.com)$" AccessControlAllowOrigin=$0 Header always set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e
Do not have the local setup to replicate the problem. Need inputs on this query.
I think you are getting confused because you use the terms "source" and "destination" which usually implies something moving from one place to another.
The right terms would be "provider" and "consumer". The provider is the service that provides some functionality over an API and the consumer is the one that uses the API to consume the provider data.
The simplest example would be having a BE API service and a FE App on different domains:
It is the provider that restrics access to its resources (or, for security reasons, there are default restrictions in place, like CORS restrictions).
In my example the backend API service will need to add the required HEADERS to allow requests from app.anotherdomain.com or specify a wildcard and allow request from any domain.
You should read more about such restrictions:
Also, make sure you check this answer out: Why are iframes considered dangerous and a security risk?