Answer-first summary for fast verification
Answer: Access-Control-Allow-origin: https://www.example.com
The question requires configuring CORS to allow only requests from https://www.example.com. The correct CORS header is `Access-Control-Allow-Origin` with the exact origin value. Option D specifies the correct origin, even though the header name uses lowercase 'origin', which is allowed as HTTP headers are case-insensitive. Options A and B use wildcards (* or *.example.com), which are either too permissive or invalid syntax. Option C sets the function's own domain, which does not match the client's origin.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You have an application that uses an HTTP Cloud Function to process user activity from both desktop browser and mobile app clients. This function serves as the endpoint for all metric submissions via HTTP POST.
Due to legacy constraints, the function must be mapped to a separate domain (https://fn.example.com) from the one used by web or mobile clients (https://www.example.com). To ensure only these browser and mobile sessions can submit metrics to the Cloud Function, which HTTP response header should you configure?
A
Access-Control-Allow-Origin: *
B
Access-Control-Allow-Origin: https://*.example.com
C
Access-Control-Allow-Origin: https://fn.example.com
D
Access-Control-Allow-origin: https://www.example.com