I would love built in CORS support for APIs. I saw one post on how to add CORS, but it uses the wildcard and opens the site up to any domain.

Even though I’ve never written php before, I was able to cobble together a temporary solution that can be pasted at the top of these API endpoints:

• http://your_sendy_installation/subscribe.php
• http://your_sendy_installation/unsubscribe.php
• http://your_sendy_installation/api/subscribers/delete.php
• http://your_sendy_installation/api/subscribers/subscription-status.php
• http://your_sendy_installation/api/subscribers/active-subscriber-count.php
• http://your_sendy_installation/api/campaigns/create.php

Code:

```

$origin = $_SERVER['HTTP_ORIGIN'];

function get_domain($host){
    $myhost = strtolower(trim($host));
    $count = substr_count($myhost, '.');
    if($count === 2){
        if(strlen(explode('.', $myhost)[1]) > 3) $myhost = explode('.', $myhost, 2)[1];
    } else if($count > 2){
        $myhost = get_domain(explode('.', $myhost, 2)[1]);
    }
    return $myhost;
}

$origin_domain = get_domain($origin);

$allowed_domains = [
    'example.com',
    'example.org',
    'example.net',
];

if (in_array($origin_domain, $allowed_domains)) {
    header("Access-Control-Allow-Headers: {$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}");
    header('Access-Control-Allow-Credentials: true');
    header('Access-Control-Allow-Methods: POST, OPTIONS');
    header('Access-Control-Allow-Origin: ' . $origin);
}

```

Please note that $allowed_domains includes all subdomains.

Also, a note for others using fetch/axios. The content-type must be application/x-www-form-urlencoded;charset=UTF-8, and the body can be built using the querystring package or URLSearchParams.

References

• https://wesbos.com/mailchimp-to-sendy/
• https://stackoverflow.com/questions/1201194/php-getting-domain-name-from-subdomain/49338205#49338205
• https://stackoverflow.com/questions/7564832/how-to-bypass-access-control-allow-origin/17098221#17098221