Is there a way to enable Cross-Origin Resource Sharing for WordPress' ajaxurl?

WordPress already has a default URL for jQuery-WordPress application calls and it’s well known as the ajaxurl. However, there are cases wherein one would need to enable Cross-Origin Resource Sharing (CORS) on it such that any hostname will be able to access using it.

My current solutions is by adding a line in /wp-includes/http.php with:

@header( 'Access-Control-Allow-Origin: *' );

Such that it will be:


function send_origin_headers() {
    $origin = get_http_origin();

    @header( 'Access-Control-Allow-Origin: *' );
    if ( is_allowed_http_origin( $origin ) ) {
        @header( 'Access-Control-Allow-Origin: ' .  $origin );
        @header( 'Access-Control-Allow-Credentials: true' );
        if ( 'OPTIONS' === $_SERVER['REQUEST_METHOD'] )
        return $origin;

    if ( 'OPTIONS' === $_SERVER['REQUEST_METHOD'] ) {
        status_header( 403 );

    return false;

It works but editing the WordPress core is not a good solution.

Is there a better way to enable CORS for the ajaxurl?

Solutions Collecting From Web of "Is there a way to enable Cross-Origin Resource Sharing for WordPress' ajaxurl?"

Milo is correct.

For instance, go to your theme’s functions.php file, and add the following:

add_filter( 'allowed_http_origins', 'add_allowed_origins' );
function add_allowed_origins( $origins ) {
    $origins[] = '';
    $origins[] = '';
    return $origins;

Now an ajax call from to your site’s ajax url will have the appropriate Access-Control-Allow-Origin header in the response. eg.

    url: '',
    type: "POST",
    data: {
    success: function(doc) {

You can achieve it by the following code.

Open you header.php

find the following text in that file

< !DOCTYPE html>

and replace it with the following.

<?php /** @package WordPress @subpackage Default_Theme  **/
header("Access-Control-Allow-Origin: *"); 
<! DOCTYPE html>

Now u can find Access-Control-Allow-Origin: * in your header.

Hope this helps..!Cheers.